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Abstract 


The  behavior  of  a  parallel  system  depends  not  only  on  the  properties  of  the  in¬ 
dividual  components  running  in  parallel,  but  also  on  the  interactions  among  those 
components.  These  interactions  in  turn  depend  on  external  factors  (such  as  the  rel¬ 
ative  speed  of  processors  or  the  particular  scheduler  implementation)  whose  details 
can  be  complex  or  even  unknown.  By  introducing  appropriate  fairness  assump¬ 
tions — which,  roughly  speaking,  states  that  every  sufficiently  enabled  component 
eventually  proceeds — we  can  abstract  away  from  these  details  without  ignoring 
them  completely.  However,  modeling  fairness  for  communicating  processes  is  es¬ 
pecially  difficult:  synchronization  requires  the  cooperation  and  active  participation 
of  multiple  processes,  and  hence  the  enabledness  of  a  process  depends  on  the  abil¬ 
ity  of  other  processes  to  synchronize  with  it. 

This  dissertation  introduces  a  general  framework  for  modeling  fairness  for 
communicating  processes,  based  on  the  notion  of  fair  traces.  Intuitively,  a  fair 
trace  is  an  abstract  representation  of  a  fair  computation,  providing  enough  struc¬ 
ture  to  capture  the  important  essence  of  the  computation  (e.g.,  the  sequences  of 
states  encountered  or  the  communications  made  along  it)  as  well  as  any  contextual 
information  necessary  for  compositionality.  Within  this  framework,  the  meaning 
of  a  command  is  simply  the  set  of  fair  traces  that  correspond  to  its  possible  fair 
computations.  For  each  construct  of  the  language,  we  define  a  corresponding  op¬ 
eration  on  trace  sets  that  reflects  its  operational  behavior. 

The  use  of  traces  provides  a  strong  connection  between  the  language’s  opera¬ 
tional  semantics  and  its  denotational  semantics,  allowing  operational  intuition  to 
guide  formal,  syntax-directed  reasoning.  Moreover,  this  trace  framework  is  re¬ 
markably  robust.  By  varying  the  structure  of  the  traces,  we  can  construct  several 
different  semantics  that  reflect  different  types  of  fairness  assumptions  for  the  same 
language  of  communicating  processes. 
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Chapter  1 
Introduction 


Reasoning  about  deterministic  sequential  programs  is  a  relatively  straightforward  task:  at  any 
particular  instant,  there  is  only  one  thread  of  control,  and  its  next  action  can  be  determined 
solely  from  the  current  state.  The  situation  changes  dramatically,  however,  when  we  start 
considering  parallel  programs.  When  a  system  comprises  several  components  running  in  par¬ 
allel,  its  behavior  depends  not  only  on  properties  of  the  individual  components  but  also  on  the 
interactions  among  them.  Any  attempt  to  model  or  reason  formally  about  parallel-program 
behavior  must  take  these  interactions  into  account  [Mil75].  However,  the  interactions  in  turn 
depend  on  external  factors,  such  as  the  relative  speed  of  processors  or  the  implementation  of 
the  scheduler,  whose  details  can  be  complex  or  (in  many  cases)  unknown.  As  a  result,  reason¬ 
ing  formally  about  parallel  systems  often  requires  abstracting  away  from  these  details  without 
ignoring  them  completely.  One  common  and  useful  abstraction,  and  the  subject  of  this  disser¬ 
tation,  is  fairness. 

This  chapter  provides  a  brief  introduction  to  the  concept  of  fairness  and  the  reasons  for 
(and  the  arguments  against)  adopting  fairness  assumptions  to  reason  about  the  behavior  of 
parallel  programs.  It  also  describes  the  goal  of  this  dissertation — namely,  the  construction 
of  a  denotational  framework  for  fair  communicating  processes — and  provides  a  sketch  of  the 
approach  taken.  The  chapter  concludes  with  a  roadmap  for  the  remainder  of  the  dissertation. 


1.1  The  Case  for  Fairness 

To  be  precise,  fairness  is  not  a  single  abstraction  but  rather  a  collection  of  abstractions  that 
all  express  the  same  underlying  theme:  no  component  should  forever  be  denied  its  rightful 
opportunity  to  proceed.  This  simple  theme  applies  to  many  settings;  both  Francez  [Fra86] 
and  Kwiatkowska  [Kwi89]  provide  extensive  surveys.  In  each  setting,  the  role  of  the  fairness 
assumption  is  to  simplify  the  task  of  reasoning  about  program  behavior. 
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Introduction 


When  we  reason  about  programs,  we  typically  want  to  prove  that  a  program  satisfies  some 
combination  of  safety  and  liveness  properties.  Safety  properties  are  those  properties  that  state 
that  “nothing  bad”  ever  happens:  deadlock-freedom,  data  consistency,  and  mutual  exclusion  are 
all  examples  of  safety  properties.  Safety  properties  correspond  to  program  invariants:  proving 
that  a  program  satisfies  a  safety  property  amounts  to  showing  that  every  reachable  state  satisfies 
the  necessary  invariant.  As  a  result,  fairness  assumptions  are  not  necessary  for  proving  safety 
properties. 

In  contrast,  liveness  properties  state  that  “something  good”  eventually  happens,  such  as 
termination,  the  granting  of  a  request,  or  the  occurrence  of  a  particular  event.  Fairness  itself 
is  a  liveness  property:  the  “something  good”  guaranteed  to  occur  is  a  component’s  eventual 
progress.  Whereas  safety  properties  represent  features  of  individual  states,  liveness  properties 
reflect  characteristics  of  sequences  of  states.  As  a  result,  they  depend  on  the  particular  events 
that  occur  and  the  order  in  which  those  events  occur.  For  example,  consider  the  following 
simple  shared- variable  program: 

x:=0;y:=l;  (while  y  7^  0  do  x:=x-|-  1  ||  y:=0). 

To  determine  whether  the  program  terminates,  we  need  to  know  how  the  two  parallel  subcom¬ 
ponents  are  scheduled.  For  instance,  if  we  know  that  the  assignment  y:=0  occurs  before  the 
first  evaluation  of  the  conditional  y  7^  0,  then  we  can  deduce  that  the  program  terminates  with 
the  value  of  x  set  to  0.  More  generally,  if  we  know  that  the  assignment  y:=0  occurs  between  the 
n^^  and  [n  -|-  l]'*^  evaluations  of  the  conditional,  then  we  can  deduce  that  the  program  terminates 
with  the  value  of  x  set  to  n. 

What  can  we  deduce  about  the  program’s  termination  without  such  detailed  knowledge?  As 
first  glance,  we  can  deduce  very  little:  a  biased  scheduler  could  prevent  the  assignment  y:=0 
from  ever  occurring,  in  which  case  the  program  does  not  terminate.  However,  because  every 
reasonable  scheduler  is  fair,  we  can  abstract  away  from  the  scheduler  details  by  assuming  fair¬ 
ness.  Simply  knowing  that  the  scheduler  is  fair — that  is,  that  the  scheduler  will  eventually  let 
the  assignment  occur — allows  us  to  deduce  that  the  program  terminates.  In  this  case,  fairness 
allows  us  to  prove  a  liveness  property  that  we  otherwise  could  not  prove.  Of  course,  assuming 
fairness  leaves  us  with  very  little  information  about  the  final  value  of  x:  the  most  that  we  can 
say  is  that  the  final  value  is  a  nonnegative  integer.  This  example  illustrates  the  phenomenon  of 
unbounded  nondeterminism  that  often  arises  with  fairness:  although  the  program  is  guaranteed 
to  terminate,  there  is  an  infinite  number  of  possible  final  values  for  x. 


1.2  Fairness:  Complications  and  Criticisms 


The  underlying  theme  of  fairness  is  simple  yet  powerful:  by  assuming  only  general  features 
of  a  scheduler,  we  can  prove  liveness  properties  of  parallel  programs.  However,  this  simplic- 
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ity  belies  the  complexity  of  reasoning  formally  about  fairness.  The  well-known  relationship 
between  fairness  and  unbounded  nondeterminism  has  hampered  both  operational  and  denota- 
tional  accounts  of  fairness,  requiring  the  use  of  transfinite  ordinals  for  proof  rules  and  the  use 
of  noncontinuous  semantic  operators  [Par79,  AP86].  Moreover,  the  halting  problem  for  pro¬ 
grams  with  unbounded  nondeterminism  is  flj-complete  [Cha78],  as  is  predicate-satisfiability 
under  fairness  assumptions  [EC80].  The  complications  inherent  to  fairness  have  led  some 
people  to  discard  it  altogether;  several  arguments  have  been  made  against  adopting  fairness 
[Dij88,  Hoa78].  We  address  the  most  common  criticisms  here: 

•  Fairness  is  an  unrealistic  assumption,  because  no  scheduler  should  be  expected  to  gen¬ 
erate  all  fair  computations. 

This  criticism  reflects  a  common  misunderstanding.  A  fair  scheduler  does  not  need  to 
generate  all  fair  computations;  rather,  it  must  generate  only  fair  computations.  A  simple 
round-robin  scheduler  is  fair,  because  it  guarantees  each  process  an  opportunity  to  pro¬ 
ceed.  Indeed,  any  reasonable  scheduler  is  fair:  a  parallel  system  that  ignores  arbitrary 
processes  is  not  much  use. 

•  No  finite  experiment  can  distinguish  a  fair  implementation  from  an  unfair  implementa¬ 
tion,  and  hence  the  distinction  between  fair  and  unfair  computations  is  meaningless. 

Indeed,  there  is  no  way  to  distinguish  a  fair  implementation  from  a  unfair  implementation 
simply  by  looking  at  some  finite  portion  of  a  resulting  computation:  such  is  the  nature 
of  liveness  properties  in  general.  The  fact  is  that  we  often  want  to  reason  about  liveness 
properties  such  as  the  eventual  granting  of  all  resource  requests  or  the  guaranteed  mes¬ 
sage  delivery:  these  properties  cannot  be  determined  solely  by  examining  finite  portions 
of  computations  either.  Even  proving  termination  of  deterministic  sequential  programs 
is  undecidable,  and  yet  very  few  would  argue  that  the  distinction  between  terminating 
computations  and  nonterminating  computations  is  meaningless. 

•  Fairness  should  not  be  part  of  a  language  definition:  it  is  the  programmer’s  responsibility 
to  prove  her  programs  correct  without  relying  on  a  fair  implementation. 

Eaimess  does  not  need  to  be  part  of  the  language  definition  to  be  a  useful  abstraction. 
Indeed,  different  implementations  of  the  same  language  may  provide  different  levels  of 
fairness.  However,  proving  programs  correct  often  involves  proving  that  they  satisfy 
certain  liveness  properties,  which  in  turn  requires  knowing  general  features  or  precise 
details  of  the  scheduler.  Without  fairness,  the  programmer  must  understand  the  underly¬ 
ing  implementation  in  detail  or  write  her  own  scheduler. 

In  summary,  fairness  is  a  useful  and  often  necessary  abstraction,  in  spite  of  the  technical 
difficulties  that  it  introduces.  Whereas  discarding  fairness  may  avoid  technical  complications, 
it  does  not  reduce  the  complexity  of  reasoning  about  parallel  programs. 
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Introduction 


1.3  Thesis  Scope 

Communicating  processes  represent  an  important  (and  still  relevant)  paradigm  for  parallel- 
program  implementation  in  which  processes  communicate  with  one  another  through  synchronous 
or  asynchronous  message  passing;  this  paradigm  is  reflected  in  (among  others)  CCS  [MilSO], 
CSP  [Hoa78,  Hoa85],  occam  [INM84],  Ada  [Uni80],  and  even  the  widely  accepted  MPI  (Mes¬ 
sage  Passing  Interface)  standard  [Mes94] .  In  this  dissertation,  I  explore  the  problem  of  model¬ 
ing  fairness  for  synchronously  communicating  processes,  developing  a  denotational  framework 
that  incorporates  a  variety  of  fairness  assumptions  for  these  processes. 

Modeling  fairness  for  communicating  processes  is  more  difficult  than  for  shared-variable 
programs.  In  the  shared-memory  paradigm,  processes  communicate  with  one  another  through 
changes  to  the  shared  global  state.  To  avoid  inadvertent  (and  inconsistent)  simultaneous  ac¬ 
cesses  to  the  shared  state,  shared-memory  programs  emphasize  mutual  exclusion.  Whether  a 
given  process  is  enabled  depends  only  on  the  global  state:  a  process’s  ability  to  make  progress 
is  independent  of  the  status  of  the  processes  in  parallel  with  it.  In  contrast,  the  emphasis  in  the 
communicating-process  paradigm  is  on  synchronization,  which  requires  the  active  cooperation 
and  participation  of  two  (or  possibly  more)  processes.  As  a  result,  a  process’s  ability  to  make 
progress  is  no  longer  a  local  property:  it  depends  on  the  ability  of  other  processes  to  synchro¬ 
nize  with  it.  No  matter  how  determined  a  process  is  to  perform  a  particular  communication, 
and  regardless  of  how  benevolent  the  scheduler  is,  the  communication  can  occur  only  if  some 
other  process  can  synchronize  with  it.  This  dependence  on  other  processes  for  progress  has 
important  consequences  for  modeling  fairness:  determining  whether  a  process  is  treated  fairly 
depends  on  knowing  not  only  what  the  particular  process  is  trying  to  do  but  also  on  what  types 
of  actions  the  processes  in  parallel  with  it  can  perform. 

Complicating  the  problem  is  the  number  of  fairness  assumptions  that  are  applicable  for 
communicating  processes.  Several  different  types  of  fairness  have  been  considered  for  com¬ 
municating  processes  (see,  for  example,  [Fra86]  and  [KdR83]),  each  one  reflecting  a  different 
type  of  obligation  that  we  might  wish  to  impose  on  the  implementation.  For  example,  in  ad¬ 
dition  to  expecting  that  every  process  makes  progress,  we  might  require  that  certain  pairs  of 
processes  communicate  with  one  another  or  that  particular  communications  eventually  occur. 
Each  of  these  different  fairness  assumptions  affects  the  allowable  program  behavior  and  im¬ 
pacts  the  corresponding  semantic  model  in  some  way.  Can  we  construct  a  semantic  framework 
that  accounts  for  these  different  assumptions  in  a  unified  way,  making  only  the  distinctions 
necessary  for  dealing  with  the  underlying  differences  in  assumptions? 


1.3.1  Thesis  approach 

Traces  have  long  been  used  to  model  concurrency  [Par79,  Bro96b,  Hoa81,  BHR84,  BR84, 
Hen85,  Jon94,  Rus90,  Jos92].  In  this  dissertation,  I  show  that  traces  can  be  extended  with 
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additional  contextual  information  to  support  compositional  reasoning  about /a/r  concurrency. 
Intuitively,  a  trace  is  an  abstract  record  of  a  program  execution,  capturing  the  important  aspects 
(e.g.,  communication  sequences  or  state  changes)  of  the  execution  while  abstracting  away  from 
unimportant  details  such  as  program  syntax.  By  adding  appropriate  structure  that  represents 
fairness-related  contextual  information  (e.g.,  information  about  the  communications  that  could 
have  occurred  along  the  computation)  to  yield  fair  traces,  we  can  model  the  fair  behaviors  of 
communicating  processes  in  a  compositional  manner. 

The  contextual  components  of  the  fair  traces  are  essential  for  modeling  fairness  accurately, 
because  they  provide  information  about  the  type  of  situations  in  which  the  given  trace  rep¬ 
resents  a  fair  computation.  However,  determining  exactly  what  type  of  structure  these  com¬ 
ponents  require  can  be  difficult:  the  extent  to  which  program  contexts  affect  the  perceived 
fairness  of  (sub)computations  depends  on  the  particular  notion  of  fairness  under  considera¬ 
tion.  Generally  speaking,  the  fair  computations  of  a  parallel  command  c\ \\c2  cannot  be  defined 
only  in  terms  of  the  fair  computations  of  c\  and  C2-  The  problem  is  that,  because  synchronous 
communications  require  the  cooperation  and  participation  of  more  than  one  process,  a  given 
(sub)computation  of  c\  can  be  either  fair  or  unfair  when  made  part  of  a  larger  computation  of 
Cl  ||c2,  depending  on  what  type  of  synchronization  opportunities  the  component  C2  provides. 

As  a  result,  it  is  necessary  to  consider  “almost  fair”  computations,  which  can  be  considered 
fair  under  certain  assumptions  (i.e.,  in  certain  contexts).  By  introducing  notions  of  parame¬ 
terized  fairness,  we  can  make  precise  this  notion  of  “almost  fair”.  Roughly  speaking,  these 
parameterized  forms  of  fairness  capture  the  features  of  program  contexts  that  affect  the  fair 
progress  of  processes,  such  as  the  communications  enabled  along  a  computation  and  the  types 
of  communications  that  blocked  processes  are  trying  to  perform.  These  parameterized  forms 
of  fairness  are  essential  for  the  denotational  (i.e.,  compositional)  characterization  of  fairness. 

Once  the  appropriate  structure  for  the  fair  traces  has  been  determined,  the  meaning  of  a 
command  is  given  by  the  set  of  fair  traces  that  correspond  to  its  computations.  To  characterize 
this  semantic  function  denotationally,  we  define  operations  on  trace  sets  that  reflect  the  oper¬ 
ational  behavior  of  the  language  constructs.  For  example,  the  computations  of  the  sequential 
composition  ci;c2  in  essence  arise  from  appending  computations  of  C2  to  computations  of  ci. 
The  trace  set  of  the  command  ci;c2  likewise  can  be  created  by  appending  traces  of  C2  to  traces 
of  Cl. 

The  most  difficult  language  construct  to  model  is  parallel  composition.  Generally  speak¬ 
ing,  the  computations  of  ci||c2  arise  from  merging  and  interleaving  computations  of  ci  with 
computations  of  C2.  However,  not  all  pairs  of  computations  can  be  merged  and  still  reflect 
meaningful  computations:  for  example,  the  progress  made  by  one  component  may  affect  the 
perceived  fairness  of  the  other  component’s  actions.  The  role  of  the  fair  traces’  contextual 
components  is  to  provide  information  sufficient  for  determining  which  merges  are  meaningful; 
we  let  a  predicate  mergeable  indicate  such  combinations.  It  is  also  important  that  the  merges 
of  the  traces  are  fair  merges  [Par79]:  a  fair  merge  of  traces  cpi  and  (p2  consumes  all  of  tpi  and 
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all  of  (p2-  To  this  end,  we  define  a  relation /a/rmerge  C  X  X  d>  on  fair  traces  that  guarantees 
a  fair  merging  and  acknowledges  the  potential  of  synchronization  between  components.  This 
relation  must  also  perform  the  necessary  bookkeeping  to  maintain  accurate  information  in  the 
traces’  contextual  components.  Intuitively,  the  triple  (91,92,9)  is  in  fairmerge  if  and  only  if 
9  represents  a  fair  computation  that  can  be  obtained  by  merging  the  fair  computations  repre¬ 
sented  by  9i  and  92.  With  these  definitions  in  hand,  we  define  parallel  composition  on  trace 
sets  in  the  following  way: 

Ti||72  =  {9  I  9i  e  Ti  &  92  e  r2  &  (91,92,9)  e  fairmerge  &  mergeable{(pi,(p2,^>)}- 

The  particular  definitions  of  mergeable  and  fairmerge  vary  depending  on  both  the  language 
and  notion  of  fairness  under  consideration.  However,  they  play  the  same  roles  in  each  setting. 
Indeed,  the  semantic  functions  in  general  are  very  similar  from  fairness  notion  to  fairness 
notion,  because  the  operational  intuition  underlying  the  operations  remains  the  same  in  each 
case;  only  the  bookkeeping  operations  vary,  reflecting  their  dependence  on  the  trace  structure. 

In  this  dissertation,  I  concentrate  on  modeling  synchronously  communicating  processes. 
However,  this  description  of  the  framework  is  general  enough  to  suit  other  paradigms  as  well. 
Brookes’  transition  trace  semantics  [Bro96b]  for  shared- variable  programs  is  a  simple  exam¬ 
ple  of  this  general  framework  in  which  no  additional  contextual  information  is  needed.  In 
Chapter  7,  we  see  that  the  framework  also  accommodates  a  hybrid  language  of  communicating 
processes  that  includes  features  of  shared-variable  parallelism. 


1.3.2  Thesis  contributions 

The  primary  contribution  of  this  dissertation  is  the  trace  framework:  it  provides  a  general, 
extendible,  modular  approach  for  constructing  semantics  that  support  reasoning  about  fair  pro¬ 
gram  behavior.  This  framework  can  be  viewed  as  an  extension  to  existing  trace  models,  iden¬ 
tifying  and  adding  the  additional  structure  necessary  for  incorporating  fairness  assumptions. 

Throughout  this  dissertation,  I  demonstrate  the  general  robustness  of  the  framework  by  con¬ 
structing  several  different  semantics  that  incorporate  different  types  of  fairness  assumptions.  In 
particular,  I  focus  on  a  simple  language  of  communicating  processes  and  construct  different  se¬ 
mantics  that  incorporate  assumptions  of  strong  fairness  {every  process  that  is  enabled  infinitely 
often  makes  progress  infinitely  often),  strong  channel  fairness  {every  communication  channel 
on  which  communication  is  enabled  infinitely  often  is  used  infinitely  often),  and  weak  fairness 
{every  process  that  is  enabled  continuously  makes  progress  eventually).  The  resulting  seman¬ 
tics  show  that  the  same  general  approach  can  be  applied  for  different  notions  of  fairness:  the 
main  differences  between  the  different  semantics  are  the  bookkeeping  operations  necessary  for 
maintaining  the  fairness-related  contextual  information.  By  comparing  these  semantics,  we 
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can  see  how  differences  in  fairness  assumptions  affect  the  type  of  semantic  structure  necessary 
for  reasoning  about  program  behavior. 

In  the  case  of  strong  fairness,  this  approach  yields abstract  semantics  for  several  nat¬ 
ural  notions  of  program  behavior:  a  semantics  is  fully  abstract  with  respect  to  a  notion  of 
observable  behavior  if  it  identifies  precisely  the  terms  that  behave  identically  in  all  program 
contexts.  The  full  abstraction  results  reflect  the  suitability  of  the  chosen  contextual  compo¬ 
nents  for  modeling  strong  fairness:  in  each  of  these  strongly  fair  semantics,  the  contextual 
components  of  the  fair  traces  remain  the  same. 


1.4  Organization  of  the  Dissertation 

The  remainder  of  this  dissertation  proceeds  as  follows: 

•  In  Chapter  2,  I  introduce  an  imperative  language  of  communicating  processes  that  is 
based  on  Hoare’s  CSP  [Hoa78]  and  Milner’s  CCS  [Mil80].  Using  this  language  as  a 
backdrop,  I  also  discuss  and  generalize  the  notions  of  fairness  typically  considered  for 
communicating  processes:  process  fairness,  channel  fairness,  guard  fairness,  and  com¬ 
munication  fairness. 

The  particular  syntax  and  operational  semantics  are  not  important  from  a  technical  per¬ 
spective.  However,  they  provide  a  convenient  foundation  for  the  technical  details  of 
subsequent  chapters. 

•  In  Chapter  3, 1  describe  a  denotational  semantics  that  incorporates  assumptions  of  strong 
process  fairness,  which  requires  every  infinitely  enabled  process  to  proceed  infinitely 
often. 

Because  strongly  fair  computation  cannot  be  characterized  in  an  immediately  compo¬ 
sitional  way,  I  first  introduce  a  new  notion  of  parameterized  strong  fairness  that  can 
be  characterized  compositionally.  This  parameterization  guides  the  construction  of  the 
strongly  fair  trace  semantics.  The  meaning  of  a  program  is  a  set  of  traces  that  correspond 
to  its  possible  executions;  each  trace  is  augmented  by  certain  enabling  information  that 
is  necessary  for  achieving  compositionality. 

The  main  artifact  of  the  chapter  is  the  strongly  fair  semantics.  However,  this  chapter  also 
serves  as  the  first  illustration  of  the  general  trace  framework,  and  many  of  the  subsequent 
chapters  build  on  ideas  introduced  here. 

•  In  Chapter  4, 1  discuss  the  property  of  full  abstraction,  a  well-known  objective  criterion 
for  judging  the  utility  of  a  semantics.  Intuitively,  a  fully  abstract  semantics  makes  pre¬ 
cisely  the  right  distinctions  to  support  compositional  reasoning  about  program  behavior. 
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The  strongly  fair  semantics  of  Chapter  3  is  not  fully  abstract.  However,  by  introducing 
appropriate  closure  conditions  on  trace  sets,  I  show  how  the  semantics  can  be  adapted  to 
yield  full  abstraction  with  respect  to  a  natural  notion  of  strongly  fair  behavior.  Moreover, 
small  changes  in  the  trace  structure  and  the  selection  of  closure  conditions  yield  several 
other  fully  abstract  semantics  for  other  notions  of  strongly  fair  program  behavior. 

Having  a  common  underlying  framework  significantly  simplifies  the  construction  of  the 
additional  semantics.  In  particular,  the  contextual  components  of  the  traces  (that  is,  the 
portion  that  relates  to  strong  fairness)  remain  the  same  in  each  case  and  facilitate  the 
presentation  and  understanding  of  each  new  model.  Moreover,  because  the  contextual 
components  of  traces  remain  the  same,  many  of  the  necessary  lemmas  for  full  abstraction 
can  also  be  reused,  greatly  simplifying  the  subsequent  full-abstraction  proofs. 

•  In  Chapter  5,  I  construct  a  semantics  that  incorporates  assumptions  of  strong  channel 
fairness.  Roughly  speaking,  strong  channel  fairness  requires  not  only  the  progress  of 
infinitely  enabled  processes  but  also  the  infinite  use  of  every  infinitely  enabled  commu¬ 
nication  channel. 

Once  again,  this  semantics  depends  on  a  parameterization  of  fairness  that  can  be  char¬ 
acterized  in  a  compositional  manner.  The  channel-fair  semantics  requires  significantly 
more  structure  than  the  process-fair  semantics  of  the  previous  two  chapters,  and  it  is  not 
fully  abstract.  I  discuss  this  lack  of  full  abstraction  and  hint  how  full  abstraction  might 
be  achieved. 

•  In  Chapter  6, 1  consider  weak  process  fairness,  which  requires  all  continuously  enabled 
processes  to  make  progress.  Weak  fairness  is  much  easier  to  implement  than  strong 
fairness,  but  it  is  extremely  sensitive  to  both  the  nuances  of  the  operational  semantics  and 
the  order  in  which  independent  actions  occur.  As  a  result,  weak  fairness  is  much  harder 
than  strong  fairness  to  model  semantically  for  communicating  processes.  In  particular, 
the  task  of  determining  when  processes  are  enabled  continuously  requires  significantly 
more  structure  than  determining  when  they  are  enabled  infinitely  often. 

As  it  turns  out,  the  resulting  weakly  fair  semantics  is  very  similar  in  structure  to  the 
channel-fair  semantics  of  Chapter  5.  This  similarity  is  rather  surprising,  given  that  strong 
process  fairness  is  simultaneously  stronger  than  weak  process  fairness  and  weaker  than 
strong  channel  fairness.  I  discuss  the  underlying  reasons  for  this  similarity. 

•  Chapter  7  is  the  final  technical  chapter  of  the  dissertation.  In  it,  I  introduce  a  language 
of  hybrid  distributed  process  that  combines  features  of  both  the  shared- variable  and  the 
communicating-process  paradigms.  By  combining  Brookes’  transition  trace  semantics 
for  shared-variable  programs  [Bro96b]  with  my  strongly  fair  semantics  for  communi¬ 
cating  processes,  I  construct  a  semantics  for  this  hybrid  language  that  incorporates  a 
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combination  of  weak  and  strong  fairness  assumptions.  Moreover,  suitable  closure  con¬ 
ditions  on  trace  sets  again  yield  full  abstraction,  the  proof  of  which  is  a  straightforward 
combination  of  the  full-abstraction  proofs  for  the  original,  independent  semantics. 

The  ease  with  which  these  two  distinct  semantics  can  be  combined  reflects  the  generality 
of  the  trace  framework.  Despite  the  underlying  differences  of  the  paradigms,  the  two 
types  of  trace  semantics  can  be  combined  in  an  intuitively  appealing  way. 

•  Finally,  I  conclude  with  a  summary  of  the  contributions  of  the  thesis,  some  connections 
to  related  work,  and  suggestions  for  future  work. 


Chapter  2 

Communicating  Processes 


In  this  chapter,  we  introduce  a  representative  language  of  communicating  processes,  related  to 
Hoare’s  CSP  and  Milner’s  CCS,  in  which  processes  have  private  local  states  and  communicate 
with  one  another  only  via  synchronous  message  passing.  The  particular  syntax  and  operational 
semantics  of  this  language  are  uninteresting  from  a  technical  standpoint,  but  they  provide  a 
convenient  reference  for  the  discussion  of  the  relevant  issues.  In  particular,  throughout  this 
dissertation  we  will  show  how  different  types  of  fairness  assumptions  can  be  incorporated  into 
semantics  for  this  same  language.  By  modeling  a  single  language,  we  can  focus  better  on  the 
similarities  and  differences  of  the  various  fairness  assumptions. 

After  giving  the  syntax  and  operational  semantics  of  the  language,  we  introduce  the  stan¬ 
dard  notions  of  fairness  for  communicating  processes:  process  fairness,  channel  fairness,  guard 
fairness,  and  communication  fairness.  These  notions  of  fairness  have  typically  been  identified 
with  CSP;  because  our  language’s  syntax  differs  from  CSP  in  certain  respects,  we  generalize 
the  definitions  to  suit  our  language  as  well. 


2.1  A  Language  of  Communicating  Processes 

For  most  of  this  dissertation,  we  shall  consider  a  simple  imperative  language  of  communi¬ 
cating  processes  originally  introduced  in  [Bro94]  and  based  on  Hoare’s  CSP  [Hoa78,  Hoa85] 
and  Milner’s  CCS  [Mil80].  As  in  occam  [INM84],  processes  have  disjoint  local  states  and 
communicate  with  one  another  via  named  channels. 


2.1.1  Syntax 

The  abstract  syntax  of  the  language  relies  on  the  following  seven  syntactic  domains: 
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•  Ide,  the  set  of  identifiers,  ranged  over  by  /; 

•  BExp,  the  set  of  boolean  expressions,  ranged  over  by  b', 

•  Exp,  the  set  of  (integer)  arithmetic  expressions,  ranged  over  by  c; 

•  Chan,  the  set  of  channel  names,  ranged  over  by  h; 

•  Gua,  the  set  of  communication  guards,  ranged  over  by  g; 

•  GCom,  the  set  of  guarded  commands,  ranged  over  by  gc; 

•  Com,  the  set  of  commands,  ranged  over  by  c. 

We  take  for  granted  the  syntax  of  identifiers,  channel  names,  and  boolean  and  arithmetic  ex¬ 
pressions.  The  syntax  of  guards,  guarded  commands  and  commands  is  given  by  the  following 
grammar: 


g  ::=  hli  \  hie 
gc  ::=  g^c|gcingc2 

c  ::=  skip  |  i:=e  \  ci;c2  |  if  b  then  ci  else  C2  |  while  ^  do  c 
I  gc  I  Cl||c2  I  c\h 


As  is  common,  we  often  abbreviate  the  guarded  command  g  ^  skip  simply  as  g.  We  also 
use  the  notation  (Si  Ci)  to  abbreviate  guarded  commands  of  the  form 

(.?!  ^  Cl)  n  (g2  ^  C2)  □  •  •  •  □  (gn  ^  Cn). 


As  in  the  original  CSP,  processes  have  disjoint  local  states.  We  therefore  impose  an  ad¬ 
ditional  syntactic  constraint  to  ensure  that  processes  can  affect  one  another’s  behavior  only 
through  handshake  communication.  We  require  that,  for  every  command  of  form  ci  ||c2,  ci  and 
C2  have  disjoint  free  identifiers;  that  is, 

fv[[ci]]nfv[[c2]]  =  0, 

where  fv[Ic]]  is  the  set  of  free  identifiers  of  c.  The  set  fv[[c]]  can  be  defined  by  structural  induction 
in  the  standard  way  (see  Figure  2.1),  under  the  reasonable  assumption  that  and  fv[[e]]  are 
defined  for  boolean  and  arithmetic  expressions.  Likewise,  the  set  of  channel  names  occurring 
free  in  c — written  fc[[c]] — can  be  defined  inductively,  as  in  Figure  2.2. 
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fv[[skip]] 
fvp:=e]] 
fv[Ici;c2]] 
fv[[if  b  then  c\  else  C2]] 
fv[[while  b  do  c]] 

fv[[/z!e]] 
^  c]] 
fv[[gci  0^02]] 
fvlci||c2]] 

Hc\h]] 


0 

{/}Ufv[e]] 

fvjcjufv[c2j 

fv[[Z7]]  U  fv[[ci]]  U  fv[[c2l] 

fvfZjjjUfvJc]] 

fvje]] 

fvfe]]UfvJc]] 

fvfecJUfvJ^C2j 

fvjcjufv[c2j 

H4- 


Figure  2.1:  Inductive  definition  of  fv[[c]]. 


fc[[skipj 

H[i-=4 

fc[[ci;c2l] 
fc[[if  b  then  ci  else  C2]] 
fc[[while  b  do  c]] 

fc^file]] 

fc[[g  ^  4 

fc[[gci  □^C2l] 

fc[[ci||c2j 


=  0 
=  0 

=  fc[[ci]]ufcjc2j 
=  fc[[ci]]ufcjc2j 
= 

=  {h} 

=  {h} 

=  fc[[gJUfc^c]] 

=  fc[[gci]]Ufc[^C2j 
=  fc[[ci]]ufcjc2j 


Figure  2.2:  Inductive  definition  of  fc[[c]]. 
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(•,5)term 


(ci,j'i)term  (c2,j'2)term 
(ci||c2,5i  U52)term 


if  disjoint(5i,52) 


(c,  j')term 
(c\/z,5)term 


Figure  2.3:  The  predicate  term. 


2.1.2  Operational  semantics 

A  state  is  a  finite  partial  function  from  identifiers  to  integers.  Letting  Z  represent  the  set  of 
integers,  the  set  S  of  states  can  be  defined  as 

5  =  [Ide^Z]. 

For  any  state  s,  [5|  /  =  n]  is  the  state  that  agrees  with  s  except  that  it  assigns  value  n  to  identifier 
i.  The  domain  of  a  state  s,  written  dom(5),  is  the  set  of  identifiers  for  which  s  has  a  value.  Two 
states  5i  and  S2  are  considered  disjoint  when  their  domains  are  disjoint:  dom(5i)  n  dom(52)  = 
0.  In  such  cases,  we  write  disJoint(j'i,  j'2)- 

For  simplicity,  we  assume  that  an  evaluation  semantics  is  given  for  arithmetic  and  boolean 
expressions,  and  that  expression  evaluation  always  terminates  and  produces  no  side  effects.  We 
write  {e,s)  — ?■*  n  to  indicate  that  expression  e  in  state  s  evaluates  to  value  n.  Implicit  in  this 
notation  is  the  assumption  that  the  free  identifiers  of  e  are  included  in  the  domain  of  s:  that  is, 
C  dom(5).  We  use  a  similar  notation  for  the  evaluation  of  boolean  expressions,  and  we 
let  B  =  {tt,  f  f }  represent  the  set  of  truth  values. 

We  use  a  labeled  transition  system  for  commands,  guards,  and  guarded  commands;  this 
approach  is  standard  and  follows  that  of  [Plo83].  A  configuration  is  a  pair  {c,s)  (or  more 
generally,  {g,s)  or  {gc,s))  for  which  state  5  is  defined  on  at  least  the  free  identifiers  of  c  (or  g 
or  gc.)  We  introduce  the  place-holder  •  to  represent  termination,  and  allow  configurations  with 
forms  such  as  {•,s),  (•||c2,5)  and  {•\h,s).  A  configuration  {c,s)  is  terminal  if  the  predicate 
(c,5)term  can  be  proved  from  the  axioms  and  inference  rules  in  Figure  2.3. 

A  label  X  is  a  member  of  the  set 

A  =  {e}  U  {h\n,  hln  \  h  G  Chan  &  n  G  Z}. 

Every  transition  has  a  label  indicating  the  type  of  atomic  action  involved:  e  represents  an 
internal  action  (e.g.,  assignment  to  a  variable),  hln  represents  the  transmission  of  value  n  along 
channel  h,  and  hln  represents  the  receipt  of  value  n  from  channel  h.  Two  labels  Xi  and  X2 
match  if  and  only  if  one  has  the  form  hln  and  the  other  hln  for  some  channel  h  and  value  n;  in 
such  a  case,  we  write  match ()ii,?i2).  For  a  label  X,  chan(?i)  is  the  channel  associated  with  X; 
by  convention,  we  define  chan(8)  =  8. 
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We  write 


to  indicate  that  the  command  c  in  state  s  can  perform  a  transition  labeled  X,  leading  to  the 
command  c'  in  state  s'.  The  transition  rules  for  the  sequential  constructs  are  standard  and 
appear  in  Figure  2.4. 

The  transition  rules  for  guards  and  guarded  commands  appear  in  Figure  2.5.  The  guard  hli 
represents  the  ability  to  receive  a  value  for  identifier  i  on  channel  h,  and  the  guard  hie  represents 
the  ability  to  transmit  the  value  of  expression  e  along  channel  h.  The  guarded  command  g  ^  c 
is  a  command  that,  after  performing  the  action  associated  with  guard  g,  behaves  like  command 
c.  The  guarded  command  gci  □gC2  represents  a  nondeterministic  choice^  between  the  guarded 
commands  gci  and  gC2:  on  its  first  step,  gci  □gC2  can  perform  any  action  that  either  gci  or  gC2 
can,  and  afterwards  behaves  like  the  chosen  gCi. 

The  transition  rules  for  the  parallel  composition  and  channel  restriction  appear  in  Fig¬ 
ure  2.6.  The  command  ci  ||c2  represents  the  parallel  composition  of  commands  ci  and  C2,  and 
it  can  perform  any  action  that  either  component  can  perform.  Additionally,  if  one  component 
can  perform  output  and  the  other  receive  input  on  the  same  channel,  then  the  two  components 
can  synchronize,  resulting  in  a  single  e-transition  of  the  parallel  command;  such  handshakes 
correspond  to  “distributed”  assignments.  Finally,  the  command  c\h  behaves  like  the  command 
c,  except  that  communication  on  the  channel  h  is  restricted  to  handshakes. 

In  many  situations,  we  will  be  interested  in  the  general  properties  of  a  communication  (i.e., 
whether  it  is  input  or  output,  and  on  which  channel  it  occurs)  without  caring  for  the  particular 
value  transmitted.  In  such  cases,  we  consider  the  set  of  directions.  A  direction  is  a  member  of 

^This  choice  is  an  external  choice,  in  that  it  can  be  influenced  by  the  environment. 
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a  set  inits(c,  s)  that  contains  the  directions  (possibly  including  8)  that  can  be  used  on  transitions 
from  the  configuration  (c,  s): 

inits(c,5)  =  {dir(X)  |  3c',s'.(c,s)  (c',s')}. 

A  computation  is  a  finite  or  infinite,  maximal  sequence  of  transitions;  a  partial  compu¬ 
tation  is  a  finite  sequence  of  transitions.  We  call  a  finite  computation  ending  in  a  terminal 
configuration  successful  and  one  ending  in  a  blocked  configuration  deadlocked. 


2.1.3  Processes 

As  a  program  executes,  it  has  one  or  more  processes  associated  with  it;  each  process  is  a  thread 
of  control  in  that  execution.  At  every  step  along  a  computation,  the  active  processes  can  be 
determined  from  the  syntactic  portion  of  the  current  configuration.  Although  processes  are 
technically  features  of  program  executions,  it  is  convenient  to  associate  them  with  program 
syntax.  For  example,  in  the  command 


b!0  II  (a?xna!l), 

we  say  that  there  are  two  processes:  b!0  and  (a?xna!l). 

The  number  of  processes  can  increase  or  decrease  dynamically  as  a  program  executes.  For 
example,  the  following  computation  has  one  active  process  initially,  two  active  processes  after 
the  first  transition,  and  no  active  processes  in  the  final  configuration: 

(a!x^  (y:=l||x:=l),[x  =  0,y  =  0])  ^  (y:=l||x:=l,  [x  =  0,y  =  0]) 

(y:=l||*,[x=  l,y  =  0]) 

(•!!•, [x=  l,y  =  1]). 

A  process  is  enabled  in  a  given  configuration  if  it  can  contribute  to  a  transition  from  that 
configuration.  That  is,  a  process  is  enabled  if  it  can  perform  an  internal  action,  if  it  can  perform 
an  external  communication  along  an  unrestricted  channel,  or  if  it  is  able  to  synchronize  with 
some  other  process.  As  a  result,  whether  a  process  is  enabled  can  depend  upon  the  status  of 
the  processes  running  in  parallel  with  it:  a  process  trying  to  communicate  along  a  restricted 
channel  is  enabled  only  if  another  process  can  synchronize  with  it. 

Example  2.1.1  Consider  the  program 


(eilie2iie3iie4iie5)\a\b, 
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where  the  processes  Qi,  Q2,  Q3,  Q4  and  Qs  are  defined  as  follows: 

2i  =  x:=x-l, 

Q2  =  a?y^y:=y  +  l, 

Q3  =  a!z^skip, 

Q4  =  b!w^w:=w  +  l, 

Qs  =  (b!5  ^  skip)  □  (c!5  ^  skip). 

1.  Process  Q\  is  enabled,  because  it  can  perform  an  internal  action  that  decrements  the 
value  of  X. 

2.  Processes  Q2  and  Q3  are  both  enabled,  because  they  are  able  to  synchronize  with  one 
another  along  channel  a. 

3.  Process  Q4  is  disabled:  its  only  potential  transition  requires  synchronization  on  channel 
b,  and  no  other  process  can  synchronize  with  it. 

4.  Process  Q3  is  enabled,  because  it  can  communicate  along  channel  c.  o 

2.2  Fairness  for  Communicating  Processes 

Most  of  the  common  notions  of  fairness — and  all  of  the  ones  discussed  in  this  dissertation — 
share  the  same  general  form: 

Every  entity  that  is  enabled  sufficiently  often  will  eventually  make  progress. 

Varying  the  interpretations  of  entity  and  sufficiently  often  leads  to  different  notions  of  fairness. 
In  the  context  of  communicating  processes,  there  are  many  different  kinds  of  entity  to  consider, 
each  choice  leading  to  a  different  notion  of  fairness.  In  particular,  Francez  [Fra86]  and  Kuiper 
and  de  Roever  [KdR83]  have  collectively  identified  a  hierarchy  of  fairness  notions  for  CSP 
that  includes  the  following  forms  of  fairness:  process  fairness,  channel  fairness,  guard  fairness, 
and  communication  fairness.  Each  of  these  fairness  notions  have  weak  and  strong  varieties, 
which  differ  in  the  interpretation  of  sufficiently  often:  weak  forms  of  fairness  are  concerned 
with  continuously  enabled  entities,  whereas  strong  forms  of  fairness  are  concerned  with  the 
infinitely  enabled  entities. 

The  hierarchy  of  fairness  assumptions  for  CSP  is  sketched  in  Figure  2.7.  Each  link  of 
form  A  ^  B  can  be  interpreted  as  “fairness  notion  A  is  subsumed  by  fairness  notion  5”  or 
(equivalently)  “Every  fi-fair  computation  is  also  A-fair.”  For  example,  every  weakly  process- 
fair  computation  is  also  weakly  channel-fair,  as  well  as  strongly  process-fair.  Moreover,  for 
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each  link  A  ^  B,  there  is  a  program  that  always  terminates  under  the  assumption  of  5-faimess 
but  has  nonterminating  computations  under  the  weaker  assumption  of  A-fairness  [KdR83]. 

In  this  section,  we  define  each  of  these  fairness  notions,  first  as  defined  originally  for  CSP 
and  then  adapted  to  suit  the  more  general  syntax  of  our  communicating  processes.  Process 
and  channel  fairness  figure  prominently  in  subsequent  chapters.  Guard  and  communication 
fairness — which  are  more  strongly  tied  to  program  syntax — seem  less  reasonable  as  abstrac¬ 
tions,  because  they  are  much  more  impractical  to  implement:  they  require  the  scheduler  to  keep 
track  of  all  (syntactic)  communication  points  of  a  program  and  to  ensure  that  each  communi¬ 
cation  point  enabled  sufficiently  often  is  used  sufficiently  often.  As  a  result,  we  discuss  guard 
and  communication  fairness  only  in  this  section,  to  provide  a  more  complete  overview  of  the 
hierarchy  of  fairness  notions. 

2.2.1  Process  fairness 

Process  fairness  is  by  far  the  most  common  notion  from  this  hierarchy,  due  to  its  applicability 
to  contexts  besides  communicating  processes  and  to  the  relative  ease  of  implementing  process- 
fair  schedulers. 

Weak  (process)  fairness  (also  known  as  justice  [LPS8 1])  states  that  every  process  enabled 
continuously  will  eventually  make  progress.  Intuitively,  weak  fairness  ensures  that  the  sched- 
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while  true  do  ( 

non-critical-sectiotii, 
sem?^,;  critical- sectionf, 
semll 

) 

Figure  2.8:  The  processes  Qi. 

uler  will  never  forget  a  process  forever.  It  is  straightforward  to  implement  weak  fairness  as  a 
scheduling  policy,  using  a  simple  round-robin  scheduling  queue. 

Despite  the  ease  of  implementing  weak  fairness,  sometimes  a  stronger  notion  of  fairness  is 
warranted.  For  example,  consider  the  use  of  a  semaphore  sent,  which  we  can  implement  as  the 
process 

Sent  =  while  true  do  (semll  ^  sem?s), 

to  prevent  processes  Q\  and  Q2  (sketched  in  Figure  2.8)  from  being  in  their  critical  sections  at 
the  same  time.  In  this  scenario,  it  is  reasonable  to  expect  that  each  of  Q\  and  Q2  will  eventually 
enter  its  critical  section.  However,  weak  fairness  is  not  a  strong  enough  assumption  to  ensure 
such  an  outcome.  A  process  waiting  for  the  semaphore  becomes  disabled  whenever  the  other 
process  successfully  enters  its  critical  section.  A  computation  in  which  Q\  repeatedly  enters 
its  critical  section  while  Q2  never  gains  admission  to  its  critical  section  is  weakly  fair,  because 
Q2  is  not  enabled  continuously  but  only  infinitely  often. 

Another  problem  with  weak  process  fairness  for  communicating  processes  is  that,  in  the 
vocabulary  of  Apt  and  colleagues,  it  is  not  equivalence  robust  [AFK88].  That  is,  weak  fairness 
is  very  sensitive  to  the  order  in  which  independent  actions  are  scheduled.  For  example,  consider 
the  following  program 

(blO  II  23  II  24)\b, 

where  the  processes  and  are  defined  as  follows: 

23  =  while  true  do  (b?xna!l),  24  =  while  true  do  (b?yna!2). 

In  the  following  computation,  the  process  b!0  makes  no  progress,  while  23  and  24  repeatedly 
perform  the  same  sequence  of  actions: 

((b!0||  (b?xna!l);23  ||  24)\b,5) 

((b!0  II  (b?xna!l);23  ||  (b?yna!2);24)\b,5) 
((b!0||23  II  (b?yna!2);24)\b,5) 

((b!0||23  Ile4)\b,^) 


((b!0||23  ||24)\b,5) 


all 

- )• 

a!2 
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This  computation  is  weakly  process-fair,  because  the  process  b!0  does  not  have  synchronization 
enabled  continuously.  In  contrast,  consider  the  following  computation,  in  which  processes 
and  Qa  make  exactly  the  same  transitions  as  in  the  preceding  computation,  but  the  order  in 
which  the  components’  transitions  are  interleaved  varies: 


((b!o||e3  Iie4)\b,^) 


((b!0  1 

1  (b?xna!l);e3  II 

24)\b,5) 

((b!0  1 

1  (b?xna!l);e3  II 

(b?yna!2); 

((b!0  1 

1  23  II  (b?yna!2); 

24)\b,5) 

((b!0  1 

1  (b?xna!l);23  II 

(b?yna!2); 

((b!0  1 

1  (b?xna!l);23  II 

24)\b,5) 

((b!0  1 

1  (b?xna!l);23  II 

(b?yna!2); 

24)\b,5) 

24)\b,5) 

24)\b,5) 


This  computation  is  not  weakly  process-fair,  because  the  process  b!0  is  enabled  for  synchro¬ 
nization  continuously  from  the  second  configuration  onwards.  Thus  weak  process  fairness 
relies  not  only  on  the  actions  of  the  components  running  in  parallel  but  also  on  the  manner  in 
which  those  actions  are  scheduled. 

As  an  alternative  to  weak  fairness,  strong  (process)  fairness  states  that  every  infinitely 
enabled  process  makes  progress  infinitely  often.  Strong  fairness  is  equivalence  robust,  and 
hence  does  not  depend  on  the  order  in  which  individual  transitions  are  scheduled.  As  a  result, 
strong  process  fairness  is  a  much  more  natural  notion  of  fairness  to  consider  for  communicating 
processes. 

Because  strong  fairness  reflects  a  stronger  expectation  of  scheduler  behavior,  it  is  more 
difficult  than  weak  fairness  to  implement  as  a  scheduling  policy.  One  way  to  implement  strong 
fairness  is  to  employ  a  priority  queue  scheme  involving  two  process  queues  A  and  B.  All 
processes  originate  in  the  lower  priority  queue  (B),  which  behaves  like  the  simple  round-robin 
scheduler  for  weak  fairness.  However,  if  a  process  cycles  through  this  queue  too  many  times 
(for  some  previously  determined  value  of  too  many)  without  making  progress,  it  transfers  to  the 
higher  priority  queue  (A).  Processes  in  A  are  given  preference  whenever  they  have  transitions 
enabled,  and  they  retain  their  position  in  A  until  they  make  progress,  at  which  point  they  return 
to  the  end  of  B.  In  particular,  a  process  in  queue  A  is  scheduled  immediately  upon  becoming 
enabled  (assuming  it  has  the  highest  priority  among  all  enabled  processes  in  queue  A.)  Because 
processes  in  A  are  given  preference  until  they  make  progress,  a  process  can  fail  to  make  infinite 
progress  only  if  it  becomes  permanently  disabled.  A  scheduler  that  implements  this  policy 
for  some  fixed  value  of  too  many  is  strongly  fair,  because  every  execution  that  it  generates  is 
strongly  fair.  Strong  fairness  is  the  abstraction  that  lets  us  ignore  the  specific  value  of  too  many. 
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2.2.2  Channel  fairness 

Definitions  for  channel  fairness  appear  in  both  [Fra86]  and  [KdR83].  Although  the  two  defini¬ 
tions  differ,  both  formulations  are  intrinsically  tied  to  the  syntax  of  original  CSP.  In  this  subsec¬ 
tion,  we  present  Francez’s  definition  and  adapt  it  to  suit  our  language.  Kuiper  and  de  Roever’s 
definition  of  channel  fairness — which  coincides  with  what  Francez  terms  communication  fair¬ 
ness — is  discussed  in  Subsection  2.2.4. 

In  the  original  CSP,  processes  have  names  and  communicate  by  name,  so  that  (for  example) 
the  process  Qi  uses  the  guard  Qf.e  to  represent  its  willingness  to  transmit  the  value  of  expres¬ 
sion  e  to  process  Qj.  Similarly,  the  process  Qj  uses  the  guard  Qp.x  to  indicate  its  willingness 
to  receive  a  value  for  identifier  x  from  Qi.  As  a  result,  Francez  interprets  a  channel  as  simply  a 
pair  of  processes,  and  he  defines  strong  channel  fairness  as  the  following  assumption: 

Every  pair  of  processes  that  are  infinitely  often  able  to  synchronize  with  one  an¬ 
other  will  do  so  infinitely  often. 

This  definition  for  channel  fairness  includes  an  implicit  minimal  liveness  assumption  [OL82]: 
a  process  will  never  block  if  it  can  perform  an  internal  action  such  as  assignment. 

Every  strongly  channel-fair  computation  is  also  strongly  process-fair,  because  channel  fair¬ 
ness  ensures  the  eventual  progress  of  every  infinitely  enabled  process.  Every  infinitely  enabled 
process  has  either  infinitely  many  opportunities  for  internal  actions  or  infinitely  many  opportu¬ 
nities  to  synchronize  with  other  processes.  In  the  former  case,  the  minimal  liveness  assumption 
ensures  that  the  process  makes  progress.  In  the  latter  case,  there  must  be  at  least  one  process 
with  which  the  process  has  infinitely  many  opportunities  to  synchronize,  and  channel  fairness 
ensures  that  the  synchronization  happens. 

Because  CSP  processes  communicate  by  name,  each  channel  corresponds  precisely  to  a 
pair  of  processes:  only  two  processes  communicate  along  any  given  channel,  and  only  one 
channel  is  used  between  any  two  processes.  In  our  language,  any  number  of  processes  may 
communicate  along  a  given  channel,  and  two  processes  may  communicate  along  any  number 
of  channels.  As  a  result,  it  is  possible  for  a  particular  channel  to  be  used  infinitely  often  and 
yet  for  another  process  to  become  blocked  while  trying  to  use  that  same  channel.  Eor  example, 
the  program 

[  (while  true  do  a!0)  |]  (while  true  do  a?x)  ||  a!2  ]\a 

has  an  infinite  computation  in  which  the  channel  a  is  used  infinitely  often  and  yet  the  process 
a!2  remains  blocked. 

This  example  raises  an  interesting  question:  should  an  infinitely  enabled  process  be  allowed 
to  block  along  a  strongly  channel-fair  computation?  If  we  answer  yes,  then  we  must  forfeit  the 
“hierarchy”  concept  of  fairness  notions,  because  process  fairness  will  no  longer  be  subsumed 
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by  channel  fairness.  If  we  answer  no,  then  we  must  build  strong  process  fairness  into  our 
notion  of  strong  channel  fairness.  We  take  the  latter  approach  and  incorporate  strong  fairness 
into  our  definition  of  strong  fairness;  this  choice  not  only  preserves  the  fairness  hierarchy  but 
also  satisfies  the  obligation  to  include  a  minimal  liveness  assumption. 

Bearing  these  considerations  in  mind,  we  arrive  at  the  following  generalized  definition  for 
strong  channel  fairness.  A  computation  is  strongly  channel-fair  if  it  satisfies  the  following 
two  conditions: 


•  Every  process  enabled  infinitely  often  makes  progress  infinitely  often. 

•  Every  channel  on  which  communication  is  enabled  infinitely  often  is  used  infinitely  of¬ 
ten. 


This  definition  of  strong  channel  fairness  generalizes  the  Erancez  definition,  while  preserving 
the  notion  of  channel  fairness  as  it  applies  to  CSP  programs.  In  particular,  every  CSP  program  P 
can  be  translated  into  a  program  P'  in  our  language  in  a  straightforward  manner.  In  each  case, 
the  (Erancez-defined)  channel-fair  behaviors  of  P  correspond  precisely  to  the  (generalized) 
channel-fair  behaviors  of  P'. 

If  we  view  different  channels  as  representing  different  types  of  messages,  then  channel 
fairness  ensures  that  every  type  of  message  that  is  infinitely  often  deliverable  gets  delivered 
infinitely  often.  Implementing  strong  channel  fairness  requires  a  mechanism  similar  to  that 
described  for  strong  process  fairness,  suitably  updated  to  ensure  that  infinitely  enabled  channels 
are  used  infinitely  often. 

To  understand  the  extra  strength  over  process  fairness  provided  by  channel  fairness,  con¬ 
sider  the  program 

(P||e||R)\a  \b  \c, 

where  the  processes  P,  Q,  and  R  are  defined  as  in  Eigure  2.9.  (Eollowing  [AEK88],  we  as¬ 
sume  for  now  that  communications  are  possible  only  when  all  three  processes  are  inside  their 
loops.  We  impose  this  assumption  only  to  simplify  the  exposition  here;  we  remove  this  as¬ 
sumption  in  subsequent  chapters.  Moreover,  we  return  to  this  matter  in  Chapter  5,  particularly 
in  Examples  5.4.2  and  5.4.3.)  Termination  of  the  program  cannot  be  guaranteed  under  strong 
process  fairness:  it  is  perfectly  acceptable  for  each  of  P  and  Q  to  communicate  only  with  pro¬ 
cess  R,  each  doing  so  infinitely  often.  However,  in  any  infinite  computation,  synchronization 
is  enabled  infinitely  often  on  each  of  the  channels  a,  b  and  c.  As  a  result,  in  any  channel-fair 
computation,  process  P  must  eventually  transmit  the  value  0  along  channel  a,  an  action  that 
eventually  leads  to  the  termination  of  the  entire  program. 
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n:=l; 

while  (x  7^  0)  do  while  (w  7^  0)  do 

(a!0  ^  x:=0  □  bll^skip)  (a?w  ^  c!w  □  c!n  ^  n:=n  +  1) 

(a)  Process  P  (b)  Process  Q 

while  (v  7^  0)  do  (c?v  ^  skip  □  b?v  ^  skip) 

(c)  Process  R 


Figure  2.9:  Channel  fairness  example. 

2.2.3  Guard  fairness 

Guard  fairness  places  even  more  restrictions  on  what  types  of  computations  can  be  considered 
fair.  Informally,  strong  guard  fairness  states  that  every  guard  that  is  enabled  infinitely  often 
will  be  chosen  infinitely  often. ^  A  guard  is  enabled  in  a  given  configuration  if  it  can  contribute 
to  a  transition  from  that  configuration.  Hence,  a  guard  of  process  P  is  enabled  if  it  involves 
communication  on  an  unrestricted  channel  or  if  it  involves  communication  on  a  restricted  chan¬ 
nel  and  a  “matching”  guard  of  another  process  is  also  enabled.  For  example,  the  guard  a!0  is 
enabled  in  the  configurations 

(alOnblO,^)  and  ((a!0||a?x)\a,5), 

but  not  in  the  configuration 

((a!0nb?x)\a,5). 

Strong  guard  fairness  provides  a  stronger  assumption  than  strong  channel  fairness,  as  illus¬ 
trated  by  the  following  example.  Consider  the  program 

(P'||el|fi)\a  \b\c, 

where  Q  and  7?  are  as  defined  in  Figure  2.9  and  P'  is  defined  in  Figure  2.10.  (We  again  suppose 
that  communications  occur  only  when  all  three  processes  are  inside  their  loops.)  This  program 
does  not  always  terminate  under  strong  channel  fairness.  Although  channel  a  must  be  used 
infinitely  often  along  any  infinite  computation,  it  is  permissible  under  channel  fairness  for  the 
a !0  guard  of  P'  to  be  ignored  while  the  guard  all  synchronizes  continually  with  2’s  a?n  guard. 
In  such  a  computation,  none  of  the  variables  x,  w,  or  v  ever  gets  set  to  0,  and  hence  the  program 
never  terminates.  In  contrast,  under  strong  guard  fairness,  the  guard  a!0  must  eventually  be 
involved  in  a  handshake  communication  with  a?w,  leading  to  termination  of  the  program. 

^To  be  precise,  we  also  assume  a  minimal  liveness  property  that  ensures  that  no  process  becomes  stuck  in  a 
configuration  in  which  it  can  perform  an  internal  action  will  block. 
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while  (x  7^  0)  do 

(a!0^x  =  0na!l^  skip  □  b!l  ^  skip) 

Figure  2.10:  The  process  P' . 

2.2.4  Communication  fairness 

Communication  fairness^  provides  an  even  stronger  assumption  than  guard  fairness.  Infor¬ 
mally,  communication  fairness  states  that  every  communication  enabled  infinitely  often  will 
occur  infinitely  often.  For  CSP,  a  communication  corresponds  to  two  “matching”  guards,  which 
necessarily  appear  in  two  processes.  Thus  communication  fairness  for  CSP  can  be  stated  as 
follows: 

For  every  pair  of  processes  Qi  and  Qj,  and  for  every  pair  {gugj)  of  (syntactically) 
matching  guards  from  the  two  processes,  if  gt  and  gj  are  jointly  enabled  infinitely 
often,  then  they  will  synchronize  infinitely  often. 

The  notion  of  communication  fairness — like  guard  fairness — has  a  very  strong  syntactic  fla¬ 
vor:  a  scheduler  must  be  able  to  distinguish  two  separate  occurrences  of  the  same  guard  in 
a  program.  The  syntactic  requirements  behind  this  fairness  notion  seem  inappropriate  for  a 
practical  abstraction,  and  hence  we  will  not  discuss  communication  fairness  in  the  rest  of  this 
dissertation.  However,  to  complete  the  overview  of  the  hierarchy,  we  introduce  an  appropriate 
generalization  of  communication  fairness  for  our  language. 

The  interpretation  of  communication  is  trickier  for  our  language  than  for  CSP,  again  be¬ 
cause  any  number  of  processes  may  communicate  along  a  given  channel.  In  particular,  we 
need  to  consider  not  only  synchronizations  among  the  processes  that  we  know  about  but  also 
possible  interactions  with  the  external  environment.  For  example,  compare  the  program 

P  =  (while  true  do  (a?x  ^  skip  □a?y  ^  skip)  |]  while  true  do  a!0)\a, 

which  is  (in  effect)  a  CSP  program  translated  directly  into  our  language,  with  the  program 

P'  =  while  true  do  (a?x  ^  skip  □a?y  ^  skip)  ||  while  true  do  a!0. 

For  program  P,  the  synchronizations  between  the  guards  a?x  and  a!0  and  between  the  guards 
a?y  and  a!0  are  the  only  possible  communications.  Thus  every  strongly  communication-fair 
computation  of  program  P  should  include  infinitely  many  synchronizations  on  each  pair.  In 
contrast,  program  P'  also  permits  three  types  of  external  communication:  reading  a  value  into  x, 
reading  a  value  into  y,  and  transmitting  the  value  0.  These  external  communications  must  also 

^Kuiper  and  de  Roever  call  this  notion  of  fairness  channel  fairness. 
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n:=l; 

while  (w  7^  0)  do 
(a?w  ^  c!w 

□  c!n  ^  n:=n  + 1 

□  a?n  ^c!l) 

Figure  2.11:  The  process  Q' . 

occur  infinitely  often  along  any  strongly  communication-fair  computation  of  P' ,  to  represent 
the  potential  for  communication  with  processes  placed  in  parallel  with  P' . 

We  therefore  introduce  the  following  generalized  notion  of  strong  communication  fairness. 
A  computation  is  considered  strongly  communication-fair  if  it  satisfies  the  following  two 
conditions: 

•  Every  handshake  communication  enabled  infinitely  often  is  chosen  infinitely  often. 

•  Every  external  action  enabled  infinitely  often  is  chosen  infinitely  often. 

When  only  closed  programs  (i.e.,  programs  having  no  free  channels)  are  considered,  this  defi¬ 
nition  of  communication  fairness  coincides  with  the  original  notion  of  communication  fairness 
introduced  for  CSP-style  programs. 

To  distinguish  communication  fairness  from  guard  fairness,  consider  the  program 

(P'||e'IW\a  \b\c, 

where  processes  P'  and  R  are  as  defined  previously,  and  process  Q'  is  defined  as  in  Eigure  2.11. 
(Once  again,  we  assume  that  communications  occur  only  when  all  three  processes  are  inside 
their  loops.)  Under  strong  guard  fairness,  the  program  does  not  necessarily  terminate.  Each 
of  the  guards  a!0,  all,  a?w  and  a?n  must  be  used  infinitely  often  in  any  infinite  computation, 
but  it  is  permissible  for  the  two  guards  a!0  and  a?n  to  synchronize  only  with  one  another, 
and  likewise  for  the  guards  all  and  a?w.  In  such  an  execution,  the  value  0  will  never  be 
transmitted  to  process  R  in  such  a  way  that  the  value  of  w  gets  set  to  0.  In  contrast,  under 
strong  communication  fairness,  each  of  the  guards  a!0  and  all  must  synchronize  with  each  of 
the  guards  a?w  and  a?n,  resulting  in  the  eventual  termination  of  the  program. 

As  the  preceding  discussion  illustrates,  the  choice  of  fairness  assumption  affects  what  we 
can  prove  about  program  behavior:  for  example,  there  are  programs  that  necessarily  terminate 
under  assumptions  of  strong  channel  fairness  but  may  not  terminate  under  strong  process  fair¬ 
ness.  In  the  next  several  chapters,  we  see  how  the  choice  of  fairness  assumption  also  affects 
the  semantic  structure  that  is  necessary  for  modeling  fair  behavior.  We  concentrate  on  three  of 
these  fairness  assumptions:  strong  process  fairness,  strong  channel  fairness,  and  weak  process 
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fairness.  We  show  how  the  framework  adapts  for  each  fairness  notion,  discussing  the  differ¬ 
ences  in  semantic  structure  for  each  case.  Perhaps  surprisingly,  the  complexity  of  the  semantic 
structure  for  a  given  notion  of  fairness  is  not  linked  directly  to  that  notion’s  place  in  the  hi¬ 
erarchy:  as  we  shall  see,  strong  process  fairness  is  much  simpler  to  model  than  either  strong 
channel  fairness  or  weak  process  fairness,  despite  falling  between  them  in  the  hierarchy. 


Chapter  3 

Strong  Process  Fairness 


In  this  chapter,  we  show  how  assumptions  of  strong  process  fairness  can  be  incorporated  into 
the  general  denotational  framework  described  in  Section  1.3.  Modeling  fairness  in  a  compo¬ 
sitional  way  is  tricky,  because  the  fairness  of  a  subcomponent  is  context-dependent:  whether 
a  process  can  become  blocked  along  a  fair  computation  depends  on  the  processes  running  in 
parallel  with  it.  To  model  this  dependence  accurately,  we  must  first  introduce  a  parameterized 
form  of  strong  fairness  that  take  contexts  into  account. 

After  introducing  parameterized  strong  fairness,  we  show  how  fair  computations  can  be 
represented  by  traces,  and  we  construct  a  denotational  semantics  based  on  these  traces  that 
incorporates  assumptions  of  strong  process  fairness.  This  strongly  fair  semantics  first  appeared 
in  [B095],  with  a  slightly  different  formulation.  The  chapter  concludes  with  some  simple 
examples  illustrating  how  the  semantics  can  be  used  to  reason  about  program  behavior. 


3.1  Parameterized  Strong  Fairness 

The  enabledness  of  a  process  depends  upon  the  context  in  which  it  appears.  This  contextual 
dependency  has  important  consequences  for  any  attempt  to  define  fair  computations  in  a  com¬ 
positional  way.  For  example,  consider  the  program 

C=(Ci||(C2||C3))\a\b, 

where  Ci,  C2  and  C3  are  defined  as  follows: 

Cl  =  while  true  do  a?x,  C2  =  while  true  do  a!0,  C3  =  while  true  do  (b!0  ^  all). 

Any  compositional  treatment  of  fairness  must  allow  the  fair  computations  of  C  to  be  defined 
in  terms  of  the  fair  computations  of  Ci  and  C2IIC3.  In  turn,  the  fair  computations  of  C2IIC3 
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must  be  defined  in  terms  of  the  fair  eomputations  of  C2  and  C3.  Beeause  C2  and  C3  are  both 
enabled  infinitely  often  along  any  eomputation  of  C2IIC3,  every  strongly  fair  eomputation  of 
C2IIC3  must  eontain  infinitely  many  outputs  along  each  of  the  channels  a  and  b.  When  C2IIC3 
is  placed  in  the  larger  context  of  program  C,  however,  the  process  C3  becomes  blocked  when 
trying  to  perform  output  on  channel  b:  communication  on  the  channel  is  restricted,  and  no 
matching  input  is  ever  available.  In  contrast,  channel  a  is  also  restricted  in  this  context,  but  C2 
is  repeatedly  enabled  for  synchronization  with  C\ .  Thus  the  program  C  has  an  infinite,  strongly 
fair  execution  in  which  C3  becomes  permanently  blocked,  but  none  in  which  C\  or  C2  ever 
becomes  permanently  blocked. 

This  example  highlights  two  problems  that  arise  in  trying  to  characterize  strongly  fair  com¬ 
putations  in  a  compositional  way.  First,  the  strongly  fair  computations  of  a  command  cannot 
always  be  determined  solely  from  the  strongly  fair  computations  of  its  component  commands. 
In  the  preceding  example,  for  instance,  the  strongly  fair  computations  of  C  could  not  be  de¬ 
termined  solely  from  the  strongly  fair  computations  of  Ci  and  C2IIC3.  In  particular,  simply 
omitting  the  occurrences  of  channel  b  that  appear  along  the  fair  computations  of  C2IIC3  would 
lead  to  impossible  computations  for  the  larger  command:  each  action  a!l  that  appears  along 
the  fair  computations  of  C2IIC3  is  possible  only  when  the  action  b!0  appears  first.  Second,  the 
restricted  channels  alone  are  insufficient  for  identifying  which  subcommands  will  be  enabled 
along  any  given  computation:  even  though  communication  was  restricted  on  channel  a,  C2 
could  make  continual  progress  by  synchronizing  with  Ci  infinitely  often. 

To  address  these  problems,  we  introduce  generalized  notions  of  enabledness  and  fairness, 
parameterizing  each  by  a  set  of  directions  representing  fairness  constraints.  In  effect,  we  can 
talk  about  “almost  blocked”  configurations  and  “almost  fair”  computations,  and  the  sets  of  di¬ 
rections  provide  a  precise  interpretation  of  “almost”.  Moreover,  these  sets  of  directions  provide 
a  description  of  those  program  contexts^  ^[~]  for  which  the  “almost  fair”  computations  will 
represent  the  transitions  of  c  in  a  truly  fair  computation  of  P[c]. 

For  every  finite  set  F  of  directions,  we  characterize  those  computations  that  are  strongly 
fair  modulo  F.  Roughly  speaking,  a  computation  p  of  the  command  c  is  strongly  fair  mod¬ 
ulo  F  if  every  process  enabled  infinitely  often  either  makes  progress  infinitely  often  (just  as 
in  traditional  strong  fairness)  or  eventually  stops  in  a  configuration  in  which  its  only  possible 
transitions  are  labeled  by  directions  in  F  and  it  cannot  synchronize  with  any  other  process. 
Intuitively,  even  though  the  directions  of  F  may  be  enabled  infinitely  often  along  p,  it  is  pos¬ 
sible  to  construct  a  program  context  F[— ]  that  restricts  communication  on  the  channels  in  F 
and  fails  to  provide  synchronization  opportunities  for  members  of  F;  for  such  contexts,  the 
computation  p  will  represent  c’s  contribution  to  a  strongly  fair  computation  of  F[c].  In  particu¬ 
lar,  those  processes  can  be  ignored  fairly  in  any  program  context  that  restricts  communication 

^  A  program  context  P[— ]  is  simply  a  program  with  a  “hole”,  and  /"[c]  is  the  program  that  results  from  filling 
the  hole  with  command  c. 
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on  the  channels  of  F  and  does  not  provide  sufficient  opportunities  for  them  to  synchronize. 
For  example,  the  infinite  computation  of  C2IIC3  that  never  performs  output  along  channel  b 
can  be  characterized  as  fair  modulo  {b!}:  the  context  (Ci  ||— )\a\b  restricts  communication  on 
channel  b  and  provides  no  synchronization  opportunities  for  Cs’s  b!0  action. 

Unlike  the  traditional  notion  of  strong  fairness,  parameterized  fairness  can  be  characterized 
compositionally.  Before  doing  so  formally,  however,  we  introduce  some  auxiliary  definitions 
and  give  an  informal  explanation. 

Definition  3.1.1  Let  F  be  a  finite  set  of  directions.  A  configuration  (c,5)  is  enabled  modulo 
F  if  inits(c, 5)  —  F  is  nonempty,  and  blocked  modulo  F  if  inits(c,  s)  FF .  o 

Thus  a  configuration  is  enabled  modulo  F  if  it  can  perform  an  action  (either  internal  or  other¬ 
wise)  not  labeled  by  a  direction  in  F ,  and  blocked  modulo  F  otherwise.  Any  configuration  that 
is  blocked  modulo  F  is  necessarily  blocked  modulo  F'  for  all  F'  ^  F. 

Unlike  strong  fairness,  parameterized  strong  fairness  can  be  characterized  compositionally. 
Just  as  every  finite  computation  is  strongly  fair,  every  finite  computation  is  strongly  fair  modulo 
F,  for  all  sets  F.  A  partial  computation  is  strongly  fair  modulo  F  provided  its  final  configura¬ 
tion  is  blocked  modulo  F.  The  fairness  of  an  infinite  computation  p  of  a  command  c  depends 
on  the  syntactic  structure  of  c  and  on  the  form  of  p,  as  follows. 

In  general,  an  infinite  computation  of  a  command  c  inherits  its  fairness  constraints  from 
the  underlying  computations  of  c’s  component  commands.  For  example,  an  infinite  computa¬ 
tion  p  of  the  command  ci;c2  arises  either  from  an  infinite  computation  of  ci  or  from  a  finite 
computation  of  ci  followed  by  an  infinite  computation  of  C2.  The  computation  p  is  fair  mod  F 
whenever  the  infinite  computation  of  ci  or  C2  is  fair  mod  F  ;  any  subcomponent  that  is  blocked 
mod  F  along  p  must  also  be  blocked  mod  F  along  the  corresponding  infinite  computation  of 
Cl  or  C2.  Similarly,  an  infinite  computation  of  the  command  while  true  do  c  arises  either  from 
infinitely  many  finite  computations  of  c  or  from  finitely  many  finite  computations  of  c  followed 
by  an  infinite  computation  of  c.  The  computation  p  is  fair  mod  F  when  all  of  these  component 
computations  of  c  are  fair  mod  F:  thus  p  is  fair  mod  F  whenever  it  contains  infinitely  many 
finite  computations  of  c  or  when  the  single  infinite  computation  of  c  is  fair  mod  F. 

Similar  reasoning  governs  the  fairness  conditions  for  most  of  the  remaining  nonparallel 
commands.  An  infinite  computation  of  g  ^  c  is  fair  mod  F  when  the  sequence  of  transitions 
made  by  c  is  fair  mod  F,  and  an  infinite  computation  of  if  b  then  ci  else  C2  is  fair  mod  F 
when  the  sequence  of  transitions  made  by  the  selected  branch  c,  is  fair  mod  F.  An  infinite 
computation  of  gci  □gC2  is  fair  mod  F  if,  after  making  its  choice  of  components  gCi  on  the 
first  step,  it  behaves  like  a  fair  mod  F  computation  of  the  selected  gc,-. 

Placing  a  command  within  the  scope  of  channel  restriction  has  the  effect  of  discharging 
any  context  assumptions  involving  the  newly  restricted  channel.  For  example,  suppose  p  is  an 
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infinite  computation  of  the  command  c\h.  If  the  transition  of  p  is  {ci,Si)  — 4-  (c,_|_i,5,+i), 

then  there  is  a  corresponding  computation  p'  of  c  such  that  the  transition  of  p'  is  (cj,5,)  — 4- 
(c-_,_j,5,+i),  with  Ci  =  c\\h.  If  the  computation  p'  is  fair  mod  F  U  {h\^hl},  then  there  may  be 
subprocesses  of  c  that  are  willing  to  communicate  on  channel  h  and  yet  fail  to  make  progress 
along  p'.  However,  when  c  appears  in  the  context  [— ]\/z,  those  subprocesses  no  longer  have 
communication  enabled  along  channel  h  and  are  no  longer  treated  unfairly  with  respect  to  h. 
In  effect,  placing  c  in  the  context  [—]\h  discharges  the  assumption  that  c  will  eventually  appear 
in  a  context  that  restricts  communication  on  h.  Hence  a  computation  p  of  c\h  is  fair  mod  F 
whenever  its  underlying  computation  of  c  is  fair  mod  F  U  {hi,  hi}. 

Determining  the  fairness  of  parallel  commands  requires  more  care.  Every  computation  p 
of  the  command  ci||c2  arises  from  interleaving  and  merging  a  computation  pi  of  ci  with  a 
computation  p2  of  C2.  Intuitively,  when  pi  is  fair  mod  Fi  and  p2  is  fair  mod  F2,  p  should 
inherit  fairness  constraints  from  both  and  therefore  be  fair  mod  Fi  UF2:  processes  blocked 
mod  Fi  along  pi  do  not  make  progress  along  p,  and  likewise  for  F2  and  P2.  However,  this 
analysis  is  valid  only  when  neither  component  violates  the  assumptions  incorporated  in  the 
other  component’s  fairness  set.  For  example,  suppose  a  process  Q  of  c\  becomes  (and  remains) 
blocked  mod  F\  along  pi.  If  the  computation  p2  provides  Q  with  infinitely  many  opportunities 
to  synchronize,  then  the  implicit  assumption  that  Q  will  have  insufficient  opportunities  to  make 
progress  is  violated,  and  hence  p  cannot  be  fair  (mod  any  F).  It  is  also  essential  to  ensure  that 
none  of  the  directions  in  Fi  appear  infinitely  often  along  p2,  for  the  following  reason.  The 
fairness  set  Fi  reflects  the  assumption  that  ci  (and  therefore  ci||c2)  will  appear  in  a  context 
that  restricts  communication  on  the  channels  associated  with  F\.  If  a  direction  in  Fi  appears 
infinitely  often  along  p2,  then  p2  can  represent  C2’s  transitions  only  if  the  context  provides 
infinitely  many  opportunities  to  synchronize  with  C2  on  that  direction.  In  such  a  case,  however, 
the  context  would  also  be  enabling  synchronization  with  any  processes  of  ci  that  were  blocked 
in  configurations  in  which  they  could  use  that  direction,  violating  the  assumptions  inherent  in 
Fi. 

We  can  now  give  a  formal,  inductive  characterization  of  strongly  fair  computation  modulo 
F .  When  E  =  0,  this  characterization  coincides  with  the  traditional  notion  of  strong  process 
fairness,  as  given  in  [Fra86,  A091]. 

Definition  3.1.2  A  computation  p  of  command  c  is  strongly  fair  modulo  F  (or,  fair  mod  F) 

provided  p  satisfies  one  of  the  following  conditions: 

•  p  is  a  finite,  successfully  terminating  computation; 

•  p  is  a  partial  computation  whose  final  configuration  is  blocked  modulo  F; 

•  p  is  an  infinite  computation,  c  has  form  (ci;c2)  or  (if  b  then  ci  else  C2),  and  the  underly¬ 
ing  infinite  computation  of  ci  or  C2  is  fair  mod  F; 
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•  p  is  an  infinite  computation,  c  has  form  (while  b  do  c')  or  {g  c'),  and  each  of  p’s 
component  computations  of  c'  is  fair  mod  F; 

•  p  is  an  infinite  computation,  c  has  form  {g  c'),  and  the  underlying  computation  of  c' 
is  fair  mod  F; 

•  p  is  an  infinite  computation,  c  has  form  (gci  □gC2),  and  the  underlying  computation  of 
the  selected  gci  is  fair  mod  F; 

•  p  is  an  infinite  computation,  c  has  form  c'\h,  and  the  underlying  computation  of  c'  is  fair 
modulo  F  U  {highly, 

•  p  is  an  infinite  computation,  c  has  form  ci  ||c2,  and  there  exist  sets  Fi  and  F2  and  compu¬ 

tations  Pi  of  Cl  and  P2  of  C2  such  that  pi  is  fair  mod  Fi,  p2  is  fair  mod  F2,  F  ^  FiU  F2, 
p  can  be  obtained  by  merging  and  synchronizing  pi  and  P2,  neither  p,-  enables  infinitely 
often  any  direction  matching  a  member  of  Fj  (i  y  j),  and  neither  p,  uses  a  direction  in  Fj 
infinitely  often.  o 


The  following  example  highlights  the  compositional  aspect  of  this  characterization. 
Example  3.1.3  Let  C  be  the  program  while  true  do  c!l,  and  consider  the  computation 

p  =  (((a!0  ^  b!0)  II  C)\b,5)  ^  ((b!0  ||  C)\b,5)  ((b!0  ||  c!l;C)\b,5)  ^ 

in  which  the  b!0  action  never  occurs,  p  is  strongly  fair  (that  is,  strongly  fair  mod  0),  for  the 
following  reasons: 


1.  The  partial  computation  pi  =  (a!0  ^  b!0,5)  (b!0, 5)  is  fair  modulo  {b!}. 

2.  The  infinite  computation 


c!l 


c!l 


P2  =  (C,5)  ^  ((c!1;C),5)  ^  (C,^)  ^  ((c!1;C),5)  ^  (C,^) 


is  fair  mod  0.  Moreover,  the  only  direction  enabled  infinitely  often  along  p2  is  c!. 

3.  Let  p'  be  the  infinite  computation 

((a!0^  b!l)  II  C,5)  ^  (b!l  II  C,5)  ^  (b!l  II  (c!1;C),5) 

^  (b!l  II  C,s)  (b!l  II  (c!1;C),5)  ^ 

in  which  the  b!0  action  never  occurs.  This  computation  can  be  obtained  by  merging  pi 
and  P2.  Because  P2  does  not  use  or  enable  synchronization  with  b!  infinitely  often,  p'  is 
fair  modulo  {b!}. 
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4.  Because  the  underlying  computation  of  p  is  p',  p  is  fair  modulo  0.  o 

The  next  example  illustrates  the  role  that  the  fairness  sets  F  play  in  determining  those 
contexts  in  which  a  given  computation  can  be  considered  fair. 

Example  3.1.4 

1.  Let  C  be  the  program  while  true  do  (all  □  b!l),  and  consider  the  computation 

Pe  =  (C,5)  ^  ((a!inb!l);C,5)  ^  (C,^)  ^  ((a!inb!l);C,5)  ^ 
that  never  outputs  along  channel  b. 

The  set  of  directions  enabled  infinitely  often  along  Pc  is  {a!,b!},  but  Pc  is  fair  mod  0 
because  there  are  no  parallel  subcomponents  of  C  that  become  blocked  along  p^. 

2.  Define  Ci  =  while  true  do  all  and  C2  =  b!l  ^  (while  true  do  b!l),  and  consider  the 
computation 


p  =  (Ci  ||C2,5)^((a!l;Ci)  ||  C2,5)  ^  (Ci  \\C2,s)^--- 
that  never  outputs  along  channel  b. 

The  set  of  infinitely  enabled  directions  of  p  is  also  {a!,  b!}.  The  computation  p  is  not  fair 
mod  0,  because  the  component  C2  remains  blocked  mod  {b!}.  However,  p  is  fair  mod 
{b!}. 

3.  Let  Cp  be  the  program  while  true  do  (alOD  b?z),  and  let  Pp  be  the  computation 

{Cp,s)  ^  ((a!0nb?z);Cp,5)  ^  {Cp,s)  ^  ((a!0nb?z);Cp,5)  ^ 

that  never  receives  input  along  channel  b.  Pp  is  fair  mod  0  and  enables  both  a!  and  b? 
infinitely  often. 

Let  F’f— ]  be  the  program  context  ([— ]  ||  Cp)\h.  There  is  a  fair  (mod  0)  computation  of 
P[c]  that  corresponds  to  a  merging  of  Pc  and  Pp  and  hence  involves  no  synchronizations 
on  channel  b.  In  contrast,  every  fair  (mod  0)  computation  of  P[Ci  IIC2]  must  eventually 
synchronize  on  channel  b,  because  it  is  unfair  for  C2  to  be  forced  to  block  on  b!  when  a 
matching  direction  is  enabled  infinitely  often.  Thus  there  is  no  fair  execution  of  P[Ci  IIC2] 
in  which  the  Cp  component  performs  Pp.  o 
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3.2  Strongly  Fair  Traces 

We  define  a  set  of  steps 

Z  =  5  X  A  X  5; 

X 

intuitively,  the  step  {s,X,s')  corresponds  to  a  transition  of  the  form  {c,s)  — {c',s').  Thus 
each  step  records  the  initial  and  final  states  of  a  transition,  as  well  as  the  label  of  the 

action  that  occurred.  We  also  introduce  a  set  of  empty  traces  Z®  =  |  5  G  5},  with  each 

corresponding  to  configurations  of  form  (c,  s).  The  set  of  finite  traces  is  Z*  =  Z®  U  Z+,  where 

Z+  =  {(5oAoAi)('^iAiA2)  |  >  0  &  Vf  <  k.{si,h,  Si+l)  G  Z} 

is  the  set  of  nonempty  finite  traces.  We  let  Z°°  =  Z*  U  Z“,  where  the  set  Z“  of  infinite  traces  is 
defined  by 


Z“  =  {(5oAoAi)('^iAiA2)  •••(5/tAfcAfc+l)  •••  I  V/  >  0.(5,,X,-,5,-+i)  G  Z}. 

Each  trace  a  G  Z°°  represents  a  finite  or  infinite  transition  sequence. 

Two  traces  a  and  P  are  composable  if  a  is  infinite  or  if  the  final  state  of  a  is  the  first  state 
of  P;  we  write  composable{a,  P)  in  such  cases.  For  composable  traces  a  and  P,  the  trace  aP  is 
their  (string-like)  concatenation.  For  example,  if  a  =  (5o,Xo,5i)(5i,Xi,52)  and  P  =  {s2,'k2,S3), 
then 

aP  =  (5oAoAi)('^1  Al  A2)(52A2A3)- 

The  traces  of  iP  serve  as  local  units  for  concatenation:  ae^  =  a  and  8^P  =  P  when  5  is  the 
final  state  of  a  and  the  first  state  of  p.  Infinite  concatenation  is  the  obvious  extension  of  finite 
concatenation.  An  infinite  sequence  of  traces  tto,  tti,  a2, . . .  is  composable  if,  for  every  i  >  0, 
the  traces  aoCXi . . .  a,-  and  a,+i  are  composable;  their  concatenation  is  the  trace 


CX0CX1CX2  •  •  •  CLfiCLfi-^-i  . . .  . 


These  simple  traces  are  insufficient  for  reasoning  about  strong  process  fairness  compo- 
sitionally,  because  they  fail  to  record  the  necessary  contextual  information  made  explicit  in 
Definition  3.1.2.  For  any  infinite  computation  p,  we  need  to  know  which  directions  are  en¬ 
abled  infinitely  often  along  p.  We  also  need  to  know  for  which  contexts  p  will  represent  a  fair 
computation;  that  is,  we  need  to  know  for  which  sets  F  the  computation  p  is  fair  modulo  F. 
Every  finite  computation  is  fair  mod  F  for  all  sets  F.  However,  because  a  finite  computation 
may  be  used  to  generate  an  infinite  computation,  we  also  need  to  know  which  directions  are 
enabled  along  a  finite  computation.  Finally,  to  reason  about  deadlock  and  blocking,  we  need 
information  about  partial  computations.  For  a  partial  computation  p,  we  need  to  know  what 
type  of  actions  (including  8)  are  possible  from  the  final  configuration  of  p.  Because  a  partial 
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computation  will  never  be  iterated  in  a  looping  context,  we  do  not  need  to  record  the  directions 
enabled  along  that  computation. 

We  combine  simple  traces  with  this  additional  contextual  information  to  yield  fair  traces. 
Letting 

r  =  Tfin(A+)  X  yfin(A+)  X  {f,i,p} 

capture  the  necessary  contextual  information,  we  define  the  set  C  x  F  of  fair  traces  as 


=  r  X  (Tfi„(A)  X  Tfin(A)  X  {f }) 

U  Z“x(Tfi„(A)xTfin(A)x{i}) 

U  r  x(Tfi„(A+)xTfin(A+)x{p}). 


For  convenience,  we  occasionally  use  ^inf»  and  d>par  to  refer  to  the  subsets  of  with  tags 
f ,  i,  and  p,  respectively. 

Intuitively,  the  fair  trace  {a,{F,E,f  ))  represents  a  fair  mod  F,  successfully  terminating 
computation  with  enabled  directions  F;  the  tag  “f”  merely  indicates  that  the  trace  represents 
a  finite  computation.  Similarly,  the  fair  trace  (a,  {F,E,  i))  represents  an  infinite,  fair  mod  F 
computation  with  infinitely  often  enabled  directions  F;  the  tag  “i”  indicates  that  the  trace  rep¬ 
resents  an  infinite  computation.  The  fair  trace  (a,  {F,E,-p))  (with  F  ^  E)  represents  a  partial 
computation  for  which  the  directions  E  (possibly  including  8)  are  enabled  in  the  final  config¬ 
uration.  When  8  is  not  in  E,  the  blocked  computation  is  necessarily  fair  mod  E,  and  therefore 
fair  mod  F  as  well.  Again,  the  tag  “p”  merely  indicates  that  the  trace  represents  a  partial 
computation.  Technically,  the  F-component  of  the  contextual  tuple  is  unnecessary  for  finite 
traces  because  every  finite  computation  is  necessarily  fair.  Similarly,  the  F-component  of  a 
partial  computation  does  not  provide  any  essential  information  not  already  incorporated  in  the 
F-component.  However,  the  inclusion  of  these  components  allows  a  consistent  representation 
for  all  fair  traces,  which  will  be  convenient  for  subsequent  definitions. 

For  every  (possibly  partial)  computation  p,  trace (p)  is  the  simple  trace  that  corresponds  to 
the  transitions  made  along  p.  For  example,  if  p  is  the  computation 

(c,5o)  - ^  (Cl,5l)  - ^ - >  {Ck,Sk}, 

then  trace(p)  =  (5oAo5'5'i)(5iAiA2)  •  •  •  The  set  en(p)  contains  the  “relevant” 

directions  enabled  along  p:  when  p  is  a  finite  computation,  en(p)  contains  the  directions  en¬ 
abled  along  p;  when  p  is  an  infinite  computation,  en(p)  contains  the  directions  enabled  in¬ 
finitely  often  p. 

We  can  give  an  operational  characterization  of  a  fair  trace  semantics  %  :  Com  ^  CP(d>)  as 
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follows: 

=  {(trace(p),(F,en(p),f))  | 

p  =  (c,5o)  •••  (cyt5'^fc)term  is  fair  mod  F} 

U  {(trace(p),  (F,£',p))  |  E  =  inits(c/t,5yt)  &  F  ^  E 

p  =  (c,5o)  ^  (ci,5i)  ^  ^  {ck,Sk)  &  -^{ck,Sk)term} 

U{(trace(p),(F,en(p),i))  | 

p  =  (c, So)  (ci , 5i)  •  •  •  is  strongly  fair  mod  F}. 

3.3  Strongly  Fair  Trace  Semantics 

In  the  previous  section,  we  gave  an  operational  characterization  of  a  fair  trace  semantics  %. 
In  this  section,  we  show  how  to  give  a  denotational  characterization  of  this  same  semantic 
function.  We  do  this  by  defining,  for  each  construct  in  the  language,  a  corresponding  operation 
on  trace  sets. 

We  assume  semantic  functions  “S  :  BExp  ^  CP(5  x  B)  and  “E  :  Exp  ^  CP(5  x  Z)  character¬ 
ized  operationally  by 

‘Blbl  =  {(5,v)  I  {b,s)  — v},  EH  =  {(5,n)  |  {e,s)  — n}. 

We  also  introduce  a  semantic  function  %  :  BExp  ^  CP(d>)  such  that 

%m  =  {{{s,e,s),{FAf)),  (8.,(fu{8},{8},p))  I  (^,tt)  e  ‘BM&Fe  yfin(A)}. 

Intuitively,  %^b^  contains  the  idle  steps  possible  from  states  satisfying  the  boolean  expression 
b.  Note  that,  for  any  boolean  expression  b, 

%hb]]  =  {{{s,e,s),{FAf)),  (8„(FU{8},{8},p))|(5,tt)e!SM]&FeTfin(A)} 

=  {((5,8,5),  (F,0,f)),  (8^,(fu{8},{8},p))  I  (5,ff)  e  EH]  &  F  e  J’fin(A)}. 

Consequently,  both  %^b]\  and  can  be  defined  solely  in  terms  of  b. 

Based  on  the  operational  characterization  of  %,  it  should  be  easy  to  see  that 

E^skipJ  =  {((5,8,5),  (F,0,f ))  I  5  e  5  &  F  e  Tfin(A)} 

U  {(8„(F,{8},p))|5e5&FD{8}} 

and 

%[[i:=e}  =  {((5,8,  [5|/  =  n]),(F,0,f))  |  fv[[/:=e]]  C  donn(5)  &  F  e  CPfin(A)  &  {s,n)  e  EH} 
U{(8i,(E,{8},p))  I  fvp:=e]]  C  dom(5)  &  FD  {8}}. 
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Similarly,  for  guards  we  obtain 

'2^[[/z?z]]  =  {((5,/z?n,  [^Iz  =  zz]),  (F,  {/z?},f ))  |  z  G  dom(5)  &  zz  G  Z  &  F  G  CPfin(A)} 
U  {(8^,  (F,  {/z?},p))  I  z  G  dom(5)  &  F  D  {hi}} 


and 


=  {((5,/z!zz,5),(F,{/z!},f))  |  {s,n)  G  ‘Lle\\  &  F  G  J’fin(A)} 

U{(8^,  (F,{/z!},p))  I  fv[[e]]  C  dom(5)  &  F  D  {/z!}}. 

Sequential  composition 

The  command  ci;c2  represents  the  sequential  composition  of  commands  ci  and  C2'-  each  com¬ 
putation  of  ci;c2  corresponds  to  a  computation  of  ci  that,  if  successful,  is  followed  by  a  com¬ 
putation  of  C2-  If  the  computation  of  ci  terminates  successfully  in  state  s,  then  the  computation 
of  C2  must  begin  from  state  5;  if  the  computation  of  ci  instead  is  infinite  or  becomes  blocked, 
then  the  computation  of  C2  never  begins.  We  can  construct  the  traces  of  ci;c2  by  combining 
traces  of  ci  with  traces  of  C2  in  a  similar  way. 

Two  fair  traces  cpi  and  92  are  composable  whenever  tpi  is  an  infinite  or  partial  trace,  or 
when  their  simple  trace  components  are  composable  (that  is,  when  the  final  state  of  the  first 
trace  is  the  initial  state  of  the  second  trace).  We  write  composable{(pi,^)2)  when  tpi  and  92  are 
composable.  When  cpi  =  (a,  {Fi,Ei,Ri))  and  92  =  (|3,  (T2,£'2,^2))  are  composable  fair  traces, 
their  concatenation  (pi(p2  is  defined  by: 

fcpi,  ifi?iG{i,p}, 

9i92=  <  (a(3,(F2,FiUF2,f)),  if^i  =R2  =  i, 

[(a(3,  (F2,F2,^2)),  if^i  =f  andi?2e  {i,p}. 

As  is  evident  from  this  definition,  the  necessary  contextual  information  for  the  resulting  trace 
depends  on  the  form  of  the  individual  traces.  When  a  represents  an  infinite  or  partial  compu¬ 
tation,  the  contextual  information  of  (3  becomes  irrelevant:  the  computation  represented  by  (3 
never  begins,  because  the  computation  represented  by  a  does  not  terminate.  When  a  represents 
a  finite,  successful  computation,  its  fairness  constraints  (as  represented  by  the  fairness  set  Fi) 
become  irrelevant;  however,  the  finite  enabling  information  provided  by  E\  must  be  preserved 
when  the  resulting  trace  also  represents  a  finite,  successful  computation. 

Thus  we  define  sequential  composition  on  trace  sets  Ti  and  T2  by 

Ti\T2  =  {(pi(p2  I  9i  e  Ti  &  (p2  G  r2  &  cozzzpo5aWe((pi,(p2)}. 
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We  can  then  define 


%ic,-C2i  =  %[[ci\]-%[[c2^, 
%lg^4  =  %[[gf,%[[cl 


'2;[[if  then  a  else  C2I]  =  %[[bf,%[[ci]\U%l-^bf,%[[c2]\. 


Iteration 

Loops  correspond  to  the  finite  or  infinite  iteration  of  a  single  command.  Thus  we  base  our 
semantics  for  loops  on  the  iteration  of  trace  sets. 

CXD 

When  {Xi  \  i  >  0}  is  a  collection  of  finite  sets,  we  let  lyj  Xi  be  the  set  of  elements  appearing 

i—Q 

in  infinitely  many  sets  Xi.  That  is, 

00 

lyj  X,'  =  {d  I  Vj  >  0.3k  >  j.de  Xk}. 

i—O 

We  then  introduce  composability  criteria  for  infinite  collections  of  fair  traces.  Let  (cpi)^o 
represent  an  infinite  sequence  of  fair  traces 


(P0,(Pl,...  ,(Pn,...  , 

such  that,  for  each  i  >  0,  cp,  =  (a,,  {Fi,Ei,Ri)).  The  sequence  ((Pi)^o  is  composable,  written 
composable{{<^i)Y^Q),  if,  for  each  i,  the  traces  cpotpi  •  • -tPi-i  and  cp,  are  composable  and  the 

00  00 

sets  lyj  Fi  and  IPJ  Ei  are  finite.  (These  sets  must  be  finite  to  ensure  that  the  resulting  trace  is 

i=0  i=0 

well-formed.)  We  then  define  infinite  concatenation  as  follows: 

{CO  CO 

(aoai...a„...,(iyJT;',  lyJFni)),  ifV/.i?,-  =  f, 

i^O 

{aoai...ak,{Fk,Ek,Rk)),  ifVi  <  k.Ri  =  f  andRk  e  {i,p}. 

When  each  cp,-  is  finite,  the  infinitely  enabled  directions  of  the  resulting  trace  are  those  directions 
that  appear  in  infinitely  many  of  the  sets  Ei,  and  similarly  for  the  infinitely  visible  directions. 
When  at  least  one  cp;  is  an  infinite  or  partial  trace,  the  infinite  concatenation  is  simply  the  finite 
concatenation  cpotpi  •  •  •  where  cp^  is  the  first  infinite  or  partial  trace  of  the  series. 

The  definitions  for  finite  and  infinite  iteration  on  trace  sets  follow  directly  from  the  defini¬ 
tions  of  concatenation  and  sequential  composition.  Finite  iteration  on  the  trace  set  T  is  defined 
by 

CXD 

r*  =  IJ  r , 
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where  T®  =  (0,0, f))  |  5  e  5}  and  =  r";r.  Infinite  iteration  on  the  trace  set  T  is 

defined  as  follows: 

r“  =  {cpocpi . .  .cpyt. . .  I  (Vi  >  0.%  e  r)  &  composable{{(pi)'^Q)}. 

We  can  give  the  semantics  of  loops  using  these  definitions  of  iteration: 

'2;[[whileZ7docI]  =  (a;[[Z7]];‘2;[Ic]])“U  (‘2;[lZ7]];'i;[[c]])*;‘2;[[^Z7l]. 


Guarded  choice 

The  command  gci  □gC2  represents  a  choice,  to  be  made  on  the  first  step,  between  the  guarded 
commands  gci  and  gC2.  Every  computation  of  gci  and  of  gC2  therefore  gives  rise  to  a  cor¬ 
responding  computation  of  gci  □gC2  that,  on  its  initial  step,  can  perform  any  action  enabled 
by  either  component.  Whenever  a  fair  trace  cp  represents  an  infinite  computation  (or  a  partial 
computation  involving  at  least  one  step)  of  gci  or  gC2,  cp  necessarily  also  represents  a  compu¬ 
tation  of  gci  □gC2.  When  cp  represents  a  finite  computation  (or  a  partial  computation  involving 
no  steps)  of  gci  or  gC2,  however,  the  enabling  component  E  must  be  augmented  with  those 
directions  that  were  enabled  initially  by  the  unchosen  component.  This  additional  enabling 
information  can  be  generated  by  looking  at  the  “empty”  partial  traces  of  the  unchosen  compo¬ 
nent:  if  (e^,  (F,^,  p))  is  a  trace  of  gCi,  then  gCi  must  be  able  to  perform  the  actions  E  on  its  first 
step.  Thus  we  define  guarded  choice  on  trace  sets  as  follows: 

Ti  □r2  =  {(a,  (F,E,  i))  e  Ti  u r2  I  a  e  u  {(a,  (F,E,p))  e  Ti  u r2  |  a  e  Z+} 

U  {(e^,  (Fi  UT2,£’i  U£'2,p))  |  ('f’i)£’i,p))  e  Ti  &  (e^.,  (T2,£’2,p))  ^  T2} 

U  {(a,(Fi,Ei  UE2,f))  I  (85«,(Fi,Ei,f))  e  Ti  &  (e^,  (F2,£'2,p))  e  r2  &8  ^£2} 

U  {(a,  {E2,E\  U£'2,f))  I  (8ia,  (T2,£'2,f))  ^T2&  (8^,  (Fi,£’i,p))  e  Ti  &  8  ^  Ei}. 

The  final  two  clauses  impose  conditions  of  form  8  ^  Ei  when  (8^,  {Ei^Ei^p))  is  a  trace  of  the 
unchosen  component.  Technically,  these  conditions  are  moot:  we  perform  the  operation  T\  □  T2 
only  when  T\  and  T2  are  trace  sets  of  guarded  commands,  and  8  is  never  enabled  on  the  first 
step  of  guarded  commands.  However,  in  Chapter  4  we  introduce  semantic  variations  in  which 
8  may  appear  to  be  enabled  on  the  initial  step,  and  these  conditions  maintain  the  integrity  of 
the  resulting  traces’  sets  of  enabled  directions. 

We  define  %igci  □gC2]]  =  %lgci^n%[[gc2^. 

Channel  restriction 

The  computations  of  c\h  are  the  computations  of  c  that  do  not  use  channel  h  for  visible  com¬ 
munications.  Correspondingly,  T\h  can  be  obtained  from  T  by  first  removing  those  traces  in 
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which  h  is  visible  and  then  deleting  hi  and  h\  from  the  enabling  and  fairness  sets  of  the  re¬ 
maining  traces.  For  a  trace  a,  chans(a)  is  the  set  of  channels  appearing  along  a.  For  a  set  X  of 
directions,  we  let  be  the  set  X  with  references  to  channel  h  removed:  X\h  =  X  —  {hi,  hi}. 
We  then  define  T\h  by 

T\h  =  {(a,  {F',E\h,R))  \  (a,  {F,E,R))  eT  &  &F'DF\h&h^  chans(a)}. 
so  that  %lc\h'j  =  %]{c^\h. 

Parallel  composition 

The  command  ci  ||c2  represents  the  parallel  execution  of  the  commands  ci  and  C2-  The  compu¬ 
tations  of  Cl  ||c2  can  be  derived  from  interleavings  and  synchronizations  of  computations  of  ci 
with  computations  of  C2.  Likewise,  the  fair  traces  of  ci  ||c2  can  be  derived  from  interleavings 
and  synchronizations  of  traces  of  ci  with  traces  of  C2. 

Of  course,  only  certain  pairs  of  computations — and,  correspondingly,  traces — can  be  merged 
in  a  meaningful  way.  For  example,  merging  a  partial  computation  represented  by  the  fair  trace 
(a,  ({fi!},  {fi!},p))  with  an  infinite  computation  represented  by  the  fair  trace  ((3,  (0,  {hi},  i)) 
does  not  yield  a  fair  computation  of  the  parallel  command:  the  first  component  cannot  remain 
blocked  if  it  is  enabled  for  synchronization  infinitely  often.  For  this  reason,  we  introduce  a 
predicate  mergeable  that  indicates  when  a  potential  merging  of  fair  traces  is  “meaningful”:  the 
predicate  mergeable{(^i,i^2)  is  true  precisely  when  merging  computations  represented  by  cpi 
and  92  would  yield  a  fair  (modulo  an  appropriate  set  F)  computation  of  the  corresponding 
parallel  command.  The  criteria  for  determining  whether  two  traces  are  mergeable  follow  di¬ 
rectly  from  the  parallel  clause  of  the  parameterized  fairness  definition  in  Section  3.1.  We  let 
vis  (a)  be  the  set  of  directions  visible  infinitely  often  along  the  simple  trace  a:  for  example,  if 
a=  (5,b!0,5)[(5,  alO,^)]®,  then  vis(a)  =  {a!}.  We  then  define  the  predicate  mergea  We  (9 1,92) 
for  fair  traces  91  =  {a\,{Fi,Ei,Ri))  and  92  =  (0x2,  {F2,E2,R2))  as  follows: 

mergea We (9 1,92)  {Ri  =  f )  or  (i?2  =  f)  or  {R\  =  i?2  =  p)  or 

(e  ^ El  UF2  &  -■match (Fi, £2)  &  -'match(F2,£’i)  &  Fi  nvis(a2)  =  0  &  F2nvis(ai)  =  0). 

Any  trace  can  be  merged  safely  with  a  finite,  successful  trace;  hence  two  traces  are  mergeable 
if  either  trace  is  finite.  Additionally,  two  partial  traces  can  always  be  merged  to  yield  a  partial 
trace  of  the  parallel  command.  The  final  clause  specifies  when  an  infinite  trace  can  be  merged 
with  another  infinite  trace  or  a  partial  trace;  its  individual  conditions  correspond  precisely  to  the 
conditions  incorporated  into  the  parallel-composition  clause  for  parameterized  strong  fairness 
in  Definition  3.1.2.  A  partial  trace  represents  a  computation  that  can  become  blocked,  provided 
that  no  8-transition  is  possible  from  its  final  configuration.  The  conditions  ^match(Fi,£'2)  and 
-■match (F2,£'i)  ensure  that  neither  component  enables  synchronization  infinitely  often  with 
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any  direction  in  the  other  component’s  fairness  set.  Similarly,  the  conditions  Fi  nvis(a2)  =  0 
and  F2  n  vis(ai)  =  0  ensure  that  neither  component  uses  infinitely  often  a  direction  in  the  other 
component’s  fairness  set. 

Given  two  mergeable  computations  (or  traces),  only  certain  mergings  of  them  will  represent 
fair  computations  (or  traces)  of  the  corresponding  parallel  command.  In  particular,  every  fair 
merge  of  the  traces  cpi  and  92  should  “consume”  all  of  cpi  and  92-  That  is,  every  step  of  each 
9i  should  be  accounted  for  in  any  fair  merge  of  91  and  92.  We  can  capture  this  intuition  by 
defining  a  ternary  relation /a/rmerge  C  x  x  on  fair  traces,  adapted  from  Park’s  fairmerge 
relation  [Par79]  to  account  for  the  possibility  of  synchronization,  with  the  idea  that  (91 , 92, 9)  G 
fairmerge  if  and  only  if  9  arises  from  a  fair  interleaving  (and  synchronization)  of  91  and  92. 
The  definition  of  fairmerge  relies  on  two  different  sets  of  triples:  both,  whose  triples  represent 
finite  sequences  of  transitions  made  while  both  components  are  active,  and  one,  whose  triples 
represent  transition  sequences  made  by  one  component  after  the  other  has  terminated.  Before 
defining  these  sets,  we  introduce  some  interleaving  and  merging  operators  on  both  simple  and 
fair  traces. 

Consider  a  parallel  program  Ci||C2,  and  suppose  that  Ci  can  perform  a  finite  transition 
sequence  represented  by  the  simple  trace  a  =  (5o,Xo5'^i)('^i  •  •  •  {sk^'^k^Sk+i)-  If  5  is  a 

local  state  of  C2,  then  the  simple  trace 

ajje^  =  (5oU5,Xo,5l  U5)(5l  U5,Xi,52U5)  ...(5^U5,X^,5^+l  U5) 

represents  a  finite  transition  sequence  of  the  parallel  command  in  which  Ci  makes  the  transi¬ 
tions  represented  by  a  and  C2  idles  in  its  local  state.  The  trace  ajj  8^.  is  similarly  defined  for 
infinite  traces  a,  capturing  the  intuition  that  Ci  can  perform  a  uninterrupted  when  C2  has  no 
transitions  possible  from  state  s.  For  finite,  nonempty,  disjoint^  traces  a  and  (3,  we  also  define 

a^l3=(a^8,)(|3^8,), 

where  5  and  t  are  the  final  state  of  a  and  initial  state  of  |3,  respectively.  That  is,  a]J(3  is  the 
trace  that  looks  like  a  (with  the  first  state  of  (3  propagated),  followed  by  (3  (with  the  final 
state  of  a  propagated).  Intuitively,  if  a  and  (3  represent  finite  transition  sequences  of  Ci  and 
C2  respectively,  then  a]J(3  represents  a  transition  sequence  of  Ci||C2  in  which  Ci  makes  the 
transitions  represented  by  a,  followed  by  C2  making  the  transitions  represented  by  |3.  For 
example,  if  a  =  (5oAo,5i)(5i  and  (3  =  (to,A'oTi)(^bA'iT2),  then 

a]J(3  =  (^oUtoAo,'^!  Uto)(5l  UtoAb'^2Uto)(52Uto,A'0,'^2Uti)(52Uti,A/b'^2Ut2)- 

^Two  traces  a  and  P  are  disjoint  if  each  state  along  a  is  disjoint  from  every  state  along  P;  in  such  cases  we 
write  disjoint(a, P).  Likewise,  two  fair  traces  tpi  =  {a,0i)  and  92  =  {P)62)  are  disjoint  when  their  simple-trace 
components  a  and  P  are  disjoint. 
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The  parallel  command  Ci  ||C2  may  also  have  transition  sequences  in  which  the  two  compo¬ 
nents  repeatedly  synchronize.  Two  nonempty,  finite  simple  traces  a= 

and  P  =  (to^A'oTi)  •  •  •  itn,l~in,tn+i)  match — and  we  write  match  (a,  P) — if  the  two  traces  have 
the  same  length  and  each  step  of  a  matches  the  corresponding  step  of  P  (that  is,  if  k  =  n  and 
match(X,,/r,)  for  each  i).  When  a  and  P  match,  a||P  is  the  trace  in  which  a  and  P  synchronize 
at  each  step: 

^11 P  (‘^0  U  tO)  £) ‘^1  U  ti) . . .  U  £, 5^-1- 1  U  ) • 

Similarly,  the  fair  traces  (pi  =  (a,  (Fi,£’i,f))  and  92  =  (P,  (T2,£’2,f))  match  when  their  simple- 
trace  components  a  and  P  match. 

When  computations  pi  of  Ci  and  P2  of  C2  are  merged  fairly  to  yield  a  computation  p  of 
Cl  IIC2,  the  order  in  which  their  steps  are  interleaved  and  synchronized  does  not  affect  the  gen¬ 
eral  properties  (that  is,  the  set  of  infinitely  enabled  directions  or  the  relative  fairness  set  F) 
of  p.  Instead,  these  properties  can  be  determined  solely  from  the  corresponding  properties  of 
the  original  computations  pi  and  P2.  Thus  we  define  an  operator  0i||02  for  contextual  triples 
01 , 02  e  r  as  follows,  with  the  intuition  that  each  0  G  0i  ||02  provides  valid  contextual  informa¬ 
tion  for  a  computation  that  arises  from  merging  computations  with  contextual  information  0i 
and  02. 

The  result  of  merging  two  finite  transition  sequences  is  yet  another  finite  transition  se¬ 
quence,  and  the  set  of  directions  enabled  along  that  transition  sequence  is  the  union  of  the  sets 
enabled  along  each  of  the  original  sequences.  Thus  we  define 

{Fi,Ei,f)\\{F2,E2,f)  =  {(F,£’iU£'2,f)  |  F  DF1UT2}. 

Merging  a  finite  (successful)  transition  sequence  and  a  partial  computation  that  can  next  per¬ 
form  actions  E2  results  in  a  partial  computation  that  can  next  perform  actions  E2;  thus  we 
define 


(Fi,Fi,f)||(F2,F2,p)  =  (F2,F2,p)||(Fi,Fi,f)  =  {{F,E2,p)  \  F  D  Fi  UF2}. 

Merging  two  partial  computations — one  of  which  can  next  perform  actions  Ei  and  the  other 
of  which  can  next  perform  actions  E2 —  results  in  a  third  partial  computation  that,  on  its  next 
step,  can  perform  any  of  the  actions  Ei  UE2.  In  addition,  when  the  sets  Ei  and  E2  match,  the 
resulting  computation  can  also  perform  an  internal  action  corresponding  to  a  synchronization. 
Thus  we  define 

(Fi,Fi,p)||(T2,£'2,p)  =  {(F,FiUF2U{8  |  match(Fi,F2)},p)  |F  DF1UF2}. 

Merging  a  finite  computation  and  an  infinite  computation  with  infinitely  enabled  directions  E2 
yields  another  infinite  computation  with  infinitely  enabled  directions  E2'. 

{FuEuf)\\{F2,E2,±)  =  {F2,E2,±)\\{FuEuf)  =  {{F,E2,±)\F  ^Fi\JF2}. 


44 


Strong  Process  Fairness 


Finally,^  merging  a  partial  computation  that  can  next  perform  actions  E\  and  an  infinite  com¬ 
putation  with  infinitely  enabled  directions  E2  results  in  an  infinite  computation  with  infinitely 
enabled  directions  E1UE2;  thus  we  define 

(Fi,Fi,p)||(F2,F2,i)  =  (F2,F2,i)||(Fi,Fi,p)  =  {(F,FiUF2,i)  IFDF1UF2}. 

Note  that  this  last  definition  safely  ignores  the  possibility  of  synchronization  between  the  two 
components:  the  sets  Ei  and  E2  are  guaranteed  not  to  match,  because  we  perform  this  operation 
only  on  traces  cpi  and  92  for  which  the  predicate  mergeable{(^i^(^2)  is  true. 

Using  this  parallel  operator  on  contextual  triples,  we  can  extend  the  interleaving  (]J)  and 
merging  (||)  operators  to  fair  traces  in  the  obvious  way.  For  fair  traces  cpi  =  (a,  0i)  and  92  = 
((3, 62)  such  that  a]J  (3  or  a||P  is  defined,  we  define  9i]J 92  and  9i  ||92  (respectively)  as  follows: 

tPiiJ92  =  {(oc]J13,0)  I  0  e  0i||02},  tpi||92  =  {(oc|||3,0)  |  0  e  0i||02}- 

Thus  the  fair  trace  9  is  in  91  ]J  92  if  its  simple  trace  component  is  the  interleaving  ajj  (3  and  its 
contextual  information  corresponds  to  the  merging  0i  ||02.  Similarly,  9  is  in  91 1|  92  if  it  captures 
the  information  inherent  in  a  synchronization  of  91  and  92. 

We  can  now  define  the  sets  both  C  x  x  and  one  C  x  x  d>.  The  set  both  corre¬ 
sponds  to  the  intuition  that,  as  long  as  both  components  remain  active,  neither  component  can 
be  forever  ignored.  Thus  the  set  both  contains  triples  that  reflect  interleavings  (or  synchroniza¬ 
tions)  of  finite  portions  of  possibly  infinite  traces: 

both  =  {(9i,92,9),(92,9i>9)  I  9i>92  e  d>fin  &  clisjoint(9i,92)  &  9  e  9i]j92} 

U  {(91,92,9)  I  9i>92  e  d>fin  &  disjoint(9i,92)  &  match(9i,92)  &  9  G  9i||92}- 

Once  one  component  terminates  (or  becomes  permanently  blocked),  the  other  component  can 
proceed  uninterrupted.  Thus  the  set  one  contains  triples  that  reflect  the  uninterrupted  progress 
of  one  component  while  the  other  component  idles  (and  hence  one  involves  no  synchroniza¬ 
tions): 

one  =  {(91,92,9),  (92,91,9)  I  9i  e  d)  &  92  =  (8^,02)  &  9  e  9iij92  &  clisjoint(9i,92)}. 

To  defiWQ  fairmerge  from  both  and  one,  we  define  a  dot  operator  (•)  that  extends  concate¬ 
nation  of  traces  to  sets  of  triples  of  traces  in  the  obvious  way.  For  example,  when  Ti  and  Y2  are 
sets  of  triples  of  traces, 

YfYi  =  {(9i9'i, 9292, 9393)  I  (91,92,93)  eTi  &  (9'i,92,93)  e  T2 

&  composable{(pi,(p[)  &  composable{i^2,^2)  &  compo^a We (93, 93)}. 

^We  do  not  provide  a  definition  for  (U,£i,i)||(W,£2,i),  because  we  never  merge  an  infinite  trace  with 
another  infinite  trace  directly.  Rather,  we  merge  two  infinite  traces  by  merging  finite  portions  of  one  with  finite 
portions  of  the  other. 
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Likewise,  Y*  and  represent  (respectively)  the  finite  and  infinite  iterations  of  this  dot  operator 
on  the  set  Y.  We  then  define  fairmerge  to  be  the  greatest  fixed  point  of  the  functional 


F{Y)  =  both-Y  Uone, 


so  that 


fairmerge  =  both^  U  both*  •  one. 


The  triple  (cp,  cp',\|/)  is  in  both^  if  and  only  if  the  traces  tp,  cp',  and  t|/  can  be  written  as  infinite 
concatenations  of  finite  nonempty  traces 

(p  =  (pO  tpl  92  (P3  •  •  •  ,  (p'  =  (po  (pi  (p2  93  •  •  •  >  \|/  =  \l/0  tl/i  V|/2  \l/3  . . .  , 

such  that  each  is  in  ((p,]J  cp'  U  U  (p,i|(pj).  Such  triples  represent  the  merging  of  two 

infinite  traces.  Likewise,  the  triple  (cp,  cp',  \|/)  is  in  both*  ■  one  if  and  only  if  the  traces  cp,  cp',  and 
\|/  can  be  written  as  finite  concatenations 

(p  =  (po9i  92  93  •••  9«,  9'  =  9()9i  92  93  •••  9«,  ti/  =  (^o¥i  ¥2^3  •••  ¥«, 

such  that  each  cp,  ,  cp^  and  t|//  (for  i  <n)  is  a  nonempty  finite  trace,  each  V|/,  (for  i  <n)  is  a  member 
of  the  set  (cp/jj  cp '  U  9!^9/  U  (p,i|(p,),  at  least  one  of  (p„  and  (p(,  has  form  (£^.,0),  and  is  a 
member  of  the  set  ((p„JJ  U  9^,^9«)- 

We  can  now  define  fair  parallel  composition  on  trace  sets  as  follows: 

Ti\\T2  =  {cp  I  cpi  e  Ti  &  (P2  e  r2  &  mergeable{ipi, 1^2)  &  (91,92,9)  e  fairmerge}. 

The  traces  of  Ti  ||r2  are  those  traces  that  result  from  fair  merges  of  mergeable  traces  from  Ti 
and  T2.  We  therefore  define  ‘2([Ici||c2l]  =  ‘2([[ci]]||‘2([Ic2l]- 

We  summarize  the  preceding  discussion  and  give  the  following  complete  denotational  char¬ 
acterization  of  the  trace  semantics  %. 
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Definition  3.3.1  The  trace  semantic  function  %  :  Com  CP($)  is  defined  by: 

%][sk\p]\  =  {((^,8,^),  (F,0,f))  \seS&Fe  Tfin(A)} 

U{(8„(F,{8},p))|5e5&FD{8}} 

%li:=e]]  =  {((5,8,  [5|/  =  n]),(F,0,f))  | 

fv[[/:=c]]  C  dom(5)  &  F  e  J’fin(A)  &  {s,n)  e  £[1^]]} 

U {(e^, (£, {e},p))  I  fv[[/:=ej  C  dom(5)  &FD  {8}} 
%^CV,C2]]=%lcif,%lc2} 

%l\fbthen  ci  else  C2]]  =  %lbf,%lci}U%l-^bf,%lc2} 

'2;[Iwhile  b  do  c]]  =  {%[[bf,%[[c'^)^U  {%lb]];%lc]]y;%^-^b]] 

=  {{{s,hln,  [5|/  =  n]),  {F,  ))  |  i  G  dom(5)  &  n  eIj  &  F  E  CPfin(A)} 

U  {(8^,  (£,  {/z?},p))  I  i  e  dom(5)  &  F  D  {hi}} 

%lh\e}  =  {{{s,h\n,s),{F,{h\},f))  \  {s,n)  e  &  F  e  Tfin(A)} 

U{(e^,  (£,{/?!}, p))  I  fv[e]]  C  dom(5)  &  £  D  {hi}} 

%[[g^4  =  %lgl%M 

%]{gCl  DgC2}\  =  %lgCl^n%]{gC2}\ 

%lci\\c2]]=%lciM%¥2]] 

%[[c\h^  =  %lc]]\h. 


o 

The  following  result  shows  that  the  denotational  semantics  accurately  reflects  the  opera¬ 
tional  behavior  of  programs  executing  under  the  assumption  of  strong  fairness. 

Proposition  3.3.2  The  denotational  and  operational  characterizations  of  the  fair  trace  seman¬ 
tics  %  coincide. 

Proof:  By  a  straightforward  but  tedious  induction  on  the  structure  of  commands. 

Most  of  the  details  concern  parallel  composition  and  make  precise  the  connection  with 
the  operational  characterization  of  parameterized  fairness  given  in  Definition  3.1.2.  ■ 


3.4  Examples 

In  this  section,  we  sketch  how  the  semantics  %  can  support  reasoning  about  the  behavior  of 
programs. 
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Example  3.4.1  Recall  Example  3.1.3,  where  we  defined  C  =  while  true  do  c!l  and  considered 
a  computation  of  the  command 

((a!0^  b!l)  II  C)\b. 

‘2^[[a!0  ^  b!l]]  contains  the  partial  trace  cpi  =  ((5,a!0,5),  ({b!},  {b!},p)),  which  represents 
the  blocked  mod  {b!}  computation 

Pi  =  (a!0  ^  b!0,5)  (b!0,5). 


'2^[[C]]  contains  the  infinite  trace  92  =  c!l,5)]“,  (0, {c!},  i)),  which  represents  the 

fair  mod  0  computation 


P2  =  (C,5)  ^  ((c!1;C),5)  ^  (C,^)  ^  ((c!1;C),5)  ^  (C,^)  — 


The  traces  cpi  and  92  are  mergeable,  because  -imatchdb!},  {c!})  and  {b!}  fi  {c!}  =  0.  More¬ 
over,  (91, 92, 9)  is  in  fairmerge,  where  we  let  9  be  the  trace 

9  =  ((5,a!0,5)[(5,8,5)(5,c!l,5)]“,({b!},{b!,c!},i)). 


As  a  result,  9  is  in  ‘2^[[(a!0  ^  b!l)  ||C]];  not  surprisingly,  9  corresponds  to  the  computation 


P 


/ 


((a!0^  b!l) 


(b!l  ||C,5)^(b!l||  (c!1;C),5) 

(b!l  ||C,^)^(b!l||  (c!l;C),^)  — 


1 


which  can  be  obtained  by  interleaving  pi  and  P2.  It  follows  that  ^^[[((alO  ^  b!l)  ||C)\b]]  con¬ 
tains  the  trace  ((5,a!O,5)[(5,8,5)(5,c!l,5)]“,(0,{c!},i)),  which  corresponds  to  the  computa¬ 
tion  p  of  Example  3.1.3.  o 


Example  3.4.2  Recall  Example  3.1.4,  which  introduced  the  following  programs: 

C  =  while  true  do  (all □  b!l), 

C1IIC2  =  (while  true  do  all)  II  (b!l  ^  (while  true  do  b!l)), 

Cp  =  while  true  do  (a!0nb?z). 

TdJC]]  contains  the  trace  9  =  ([(5,8, 5) (5,  all,  5)]“,  (0,  {a!,  b!},  i)),  corresponding  to  its  fair  mod 
0  computation  that  enables  the  directions  a !  and  b !  infinitely  often  and  yet  uses  only  a !  infinitely 
often.  In  contrast,  ‘2^[ICi||C2]]  contains  the  trace 

9'=  ([(5,8,5)(5,a!l,5)]“,({b!},{a!,b!},i)) 

but  not  the  trace  9,  because  its  only  computations  that  do  not  use  b!  are  fair  mod  {b!}  but  not 
fair  mod  0. 
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'2^[[Cp]]  contains  the  trace  tpp  =  ([(5,8, 5) (5, a !0, 5)]“,  (0,  {a!,  b?},  i)),  which  corresponds  to 
its  fair  mod  0  computation  that  enables  the  directions  a!  and  b?  infinitely  often  and  repeatedly 
performs  the  action  a!0.  The  traces  cp  and  cpp  are  mergeable;  letting  \|/  be  the  trace 

\\f  =  ([(5Ut,8,5Ut)(5Ut,8,5Ut)(5Ut,a!0,5Ut)(5Ut,a!l,5Ut)]“,  (0,  {a!,  b!,  b?},  i)), 

the  triple  (cp,  (Pp,\|/)  is  in  fairmerge,  and  hence  V|/  is  in  ^^[[CllCp]].  The  trace  t|/  corresponds  to 
the  following  fair  mod  0  merging  of  computations  p  and  p^: 

{C\\Cp,sUt)  ((a!inb!l);C  II  Cp,  5Ut) 

^  ((a!inb!l);C  ||  (a!0n b?z);Cp,  sUt) 

^  ((a!inb!l);C  II  Cp,  5Ut) 

^  (C  II  Cp,  5Ut) 

In  contrast,  the  traces  cp'  and  cpp  are  not  mergeable,  because  the  fairness  set  {b!}  of  cp' 
matches  cpp’s  set  {a!,b?}  of  infinitely  enabled  directions.  The  lack  of  mergeability  reflects 
Cp’s  inability  to  refuse  to  synchronize  on  channel  b  when  C\  ||C2  has  a  process  blocked  on  the 
direction  b!.  o 

Example  3.4.3  Consider  the  program  (Strea mi  ||  Stream2  ||  Merge) \left\right,  where  the  pro¬ 
cesses  Stream  1,  Stream2  and  Merge  are  defined  as  follows: 

Streami  =  while  true  do  left!l, 

Stream2  =  while  true  do  right!2. 

Merge  =  while  true  do  (left?x  ^  outlx  □  right?x  ^  outlx). 

None  of  the  commands  have  any  successful  finite  traces. 

Every  infinite  trace  of  Merge  has  form  (a,  (F,  {left?,  right?,  out!},  i)).  Therefore,  the  only 
traces  of  (Streami  ||  Stream2)  that  can  be  merged  with  traces  of  Merge  are  those  whose  fairness 
sets  do  not  contain  the  directions  left!,  right!  or  out?.  The  only  such  traces  are  those  that 
represent  computations  in  which  both  Streami  and  Strea  m2  make  infinite  progress.  These 
traces  necessarily  have  form  ((3,  (F',  {left!,  right!},  i)),  where  {left!,  right!}  fl  F'  =  0  and  (3 
contains  infinitely  many  left!l  actions  and  infinitely  many  right!?  actions. 

As  a  consequence,  every  traee  (and  therefore  every  fair  computation)  of 

(Streami  ||  Stream2  ||  Merge) \left\right 


must  contain  infinitely  many  out!l  aetions  and  infinitely  many  out!2  actions.  Therefore  Merge 
represents  a  fair  merger  of  the  streams  created  by  Streami  and  Stream2.  o 


3.4  Examples 


49 


The  following  example  highlights  the  conneetion  between  fairness  and  unbounded  nonde¬ 
terminism,  using  the  trace  semantics  to  prove  that  a  single  program  can  terminate  with  any 
possible  integer  value  for  the  identifier  x.  (The  program  will  also  prove  useful  in  certain  proofs 
in  Chapter  4.) 


Example  3.4.4  Let  Pick_lnt(x,  y,w)  be  the  command 

(Data(x, y)  |j  Control(w))\a\b, 
where  Data(x,y)  and  Control (w)  are  the  following  programs: 

Dataixvi  = 

'  while  y  7^  0  do  (all  ^  x:=x-|-  1  □  b?y  ^  skip  □  all  ^  x:= 


-x), 


Control(w)  =  w:=l;  while  w  7^  0  do  (a?w  ^  skipD  b!0  ^  w:=0). 


For  all  integers  m  and  n,  let  abbreviate  the  state  [x  =  n,  y  =  0]  and  abbreviate  the  state 
[x  =  n,y  =  1],  and  let  Um  abbreviate  the  state  [w  =  m].  For  each  n  G  Z,  let  the  traces  a+,  a„  , 
and  a*  be  defined  by: 

^  •  ITm)  ^Tw+l  )  )  ^Tw+l  )  ) 

OCfi  ~  (tn,  3 ! ITm)  «)  (^— W)  w) ) 

OCm  ~  (tn,  b?0,  5^)  (5^,  £,  (5^,  £,  5^) . 

Intuitively,  a+  represents  the  transitions  made  by  Data(x,  y)  in  executing  the  code  fragment 

all  ^  x:=x-|-  1 

from  the  state  [x  =  n,y  =  1],  and  then  entering  the  loop  again  by  verifying  that  the  condition 
y  7^  0  holds.  Similarly,  a„  represents  the  transitions  made  by  Data(x,y)  in  executing  the 
fragment 

all  ^  x:=  —  X 

from  the  same  state  and  reentering  the  loop.  Finally,  the  trace  a*  represents  the  transitions 
made  by  Data(x,  y)  in  which  it  receives  the  value  0  along  channel  b  and  finally  terminates. 

For  every  nonnegative  integer  n,  we  can  also  define  the  simple  traces 

Y+  =  (5o,e,5o)(5o,eTo)(?o,eTo)cXoCx^---CXn_iCXn, 

Yn  (‘^0;  ‘^0)  (‘^0;  £To)  (^0)  CCj  •  •  •  w 

Intuitively,  Ym  (respectively,  )  represents  a  computation  of  Data  (x,  y)  that  sets  x  to  n  (respec¬ 
tively,  —n)  and  then  terminates.  Moreover,  for  each  n>0,  the  traces  {j^,  (0,  {a!,  b?},f ))  and 
(Ym  ,(0,{a!,b?},f))  are  in  ‘2;[[Data(x,y)J. 
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We  can  also  define  simple  traces 

(3  =  (Ml,a?l,Ml)(Ml,8,Ml)(Ml,8,Ml),  (3*  =  (Ml,b!0,Ml)(Ml,8,Mo)(MO,e,Mo), 

and  (for  each  n  >  0)  .  The  trace  represents  a  computation 

of  Control (w)  that  executes  the  guard  a?0  n  —  1  times  and  then  executes  the  guard  b!0  and 
terminates.  For  each  nonnegative  n,  the  trace  (0,  {a?,  b!},  f ))  is  in  *2^ [[Control (w)]]. 

Finally,  using  the  notation  to  abbreviate  the  trace  we  can 

define  the  following  simple  traces,  for  all  integer  values  n: 

0+  =  (t„UMl,8,t„UMl)(t„UMl,8,t„+l  UMl)[(t„+l  UMi,8,t„+i  Umi)]^ 

0„  =  (t„UMl,8,t„UMl)(t„UMl,8,t-„UMl)[(t-„UMl,8,t-„UMl)]^ 

Intuitively,  0+  arises  from  a  merge  of  a+  and  (3,  0„  arises  from  a  merge  of  a„  and  (3,  and  0* 
arises  from  a  merge  of  a*  and  (3* .  Letting  i  be  the  trace 

(50  U  MO5  £5  ■^O  U  Mo)  (■^0  U  Mo,  8,  to  U  Mo)  (to  U  Mo,  8,  to  U  Mo)  (to  U  Mo,  8,  to  U  Ml )  (to  U  Ml ,  8,  to  U  Ml ) , 

representing  one  possible  merging  of  the  “initial”  portions  of  and  it  follows  that,  for 
each  nonnegative  n,  the  traces 

(l0+0+---0tl0^(0>0>{a!>a?>b!,b?},f)) 

and 

(10+0+ . . . 0^i0„  0*_„,  (0,0,  {a!, a?,  b!,  b?}, f )) 
are  in  ‘2([[Data(x,y)  ||Control(w)]].  Consequently,  the  traces 

(iex-..0ti0:.(0.«.f))  “d  (ie+0+---et-i9»0-».(0.0.f)> 

are  in  ‘2^[[Pick_lnt(x,  y,w)]].  These  traces  reflect  the  fact  that,  for  every  integer  n,  there  is  a 
strongly  fair  computation  of  Pick_lnt(x,y,  w)  that  terminates  in  a  state  where  the  identifier  x 
has  value  n.  o 

Example  3.4.5  As  a  postscript  to  the  previous  example,  let  y  be  the  infinite  simple  trace 

(50, e,  5o)  (^0, e,  ?o) (?o, e,  to)cX(J'a[^ . . .  a+_ ^ , 

so  that  y  represents  a  computation  of  Data(x,y)  that  continually  increments  x.  Similarly,  let 
^  =  (mo,8,mi)(mi,8,mi)|3“,  so  that  ^  represents  a  computation  of  Control(w)  in  which  w  is 
never  set  to  0. 
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The  trace  (y,  (0,  {a!,  b?},  i))  is  in  ‘2j[[Data(x,y)]],  and  the  trace  (^,  (0,  {a?,  b!},  i))  is  in 
[[Control  (w)]].  It  follows  that  the  trace 

is  in  T[[[Data(x,y)||Control(w)]],  and  hence  the  trace  (lOdOi" . .  .0;|' . . .  ,  (0,0,  i))  is  in 
T([[Pick_lnt(x,y, w)]].  The  existence  of  this  trace  reflects  the  fact  that  Pick_lnt(x,y, w)  has 
strongly  fair  computations  that  never  terminate.  o 

These  examples  all  illustrate  how  the  strongly  fair  trace  semantics  can  be  used  to  reason 
about  strongly  fair  program  behavior.  What  we  have  not  yet  addressed,  however,  is  whether 
a  simpler  semantics  (that  is,  a  semantics  constructed  at  a  higher  level  abstraction)  would  also 
support  such  reasoning:  are  the  fairness  sets  F  and  sets  E  of  enabled  directions  really  necessary 
for  reasoning  about  strong  process  fairness?  We  address  this  question  in  the  next  chapter,  where 
we  discuss /m//  abstraction.  Intuitively  a  semantics  is  fully  abstract  if  it  provides  precisely  the 
right  level  of  detail  to  support  compositional  reasoning  about  program  behavior.  We  show  in 
the  next  chapter  that  the  semantics  %  can  be  made  fully  abstract  and  that  the  sets  F  and  E  play 
a  vital  role  in  modeling  strongly  fair  computations. 


Chapter  4 

Full  Abstraction  for  Strong  Fairness 


A  single  language  can  have  several  different  semantics,  each  suited  for  reasoning  about  a  dif¬ 
ferent  type  of  program  behavior.  The  struggle  for  each  semantics  is  to  find  a  balance  between 
supporting  compositional  reasoning  and  maintaining  an  appropriate  level  of  abstraction.  For 
example,  a  semantics  intended  to  support  reasoning  about  the  sequence  of  states  encountered 
along  a  computation  must  capture  intermediate  states  in  some  fashion.  In  contrast,  that  same 
semantics  may  be  unnecessarily  complex  for  reasoning  about  a  behavior  that  ignores  inter¬ 
mediate  states;  a  semantics  that  also  ignores  intermediate  states  may  provide  a  better  level  of 
abstraction. 

Given  a  semantics  and  a  notion  of  program  behavior,  how  do  we  determine  whether — and, 
if  so,  how  well — the  semantics  supports  reasoning  about  the  behavior?  One  well-known  crite¬ 
rion  forjudging  the  utility  of  a  semantics  hfull  abstraction  [Mil75].  Informally,  a  semantics 
is  fully  abstract  with  respect  to  a  given  notion  of  behavior  if  it  gives  identical  meanings  to 
program  terms  exactly  when  those  terms  exhibit  identical  behaviors  in  all  program  contexts. 
In  essence,  a  fully  abstract  semantics  supplies  precisely  the  right  level  of  detail  to  support 
compositional  reasoning  about  a  given  notion  of  behavior. 

In  this  chapter,  we  introduce  a  natural  notion  of  strongly  fair  behavior,  and  we  show  how 
the  semantics  %  introduced  in  Chapter  3  can  be  adapted — through  the  introduction  of  suitable 
closure  conditions  on  trace  sets — to  yield  full  abstraction  with  respect  to  this  behavior.  We  also 
introduce  several  additional  notions  of  strongly  fair  behavior  and  show  how  the  same  general 
framework,  with  small  changes  to  the  specific  semantics,  yields  full  abstraction  with  respect  to 
these  behaviors  as  well.  Having  a  common  underlying  framework  significantly  simplifies  the 
construction  of  the  additional  semantics:  the  different  traces  share  the  same  general  structure, 
the  semantic  operators  represent  the  same  type  of  operational  behavior,  and  the  full-abstraction 
proofs  rely  on  the  same  observations  and  necessary  lemmas. 
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4.1  Soundness  and  Full  Abstraction 


A  program  context  F’f— ]  is  a  program  with  one  or  more  “holes”  into  which  a  command  can 
be  inserted.  Pfc]  is  the  program  that  results  from  filling  the  holes  of  Pf— ]  with  command  c, 
provided  c  “makes  sense”  in  the  given  hole.  For  example,  if  P[— ]  is  the  context  ([— ]  ^  skip), 
then  P[a!0]  is  the  command  (a!0  ^  skip),  whereas  P[skip]  is  undefined.^ 

A  behavior  notion  is  the  set  of  program  actions  assumed  to  be  visible  to  an  external  ob¬ 
server.  For  example,  the  input-output  behavior  of  a  program  provides  a  black-box  view  of 
programs:  a  program’s  initial  input  and  final  result  are  considered  observable,  but  its  interme¬ 
diate  states  are  not.  For  communicating  processes,  there  are  several  natural  notions  of  behavior 
to  consider,  such  as  a  program’s  sequences  of  communications  or  the  states  encountered  along 
its  possible  executions.  For  most  of  this  chapter,  we  focus  on  the  following  form  of  state  trace 
behavior,  in  Section  4.5,  we  discuss  several  other  notions  of  strongly  fair  behavior. 


Definition  4.1.1  The  state  trace  behavior  9v[  :  Com  ^  CP(S°°  U  5*5)  is  defined  by: 


=  {5051  I  (c,5o) (ci,5i)  ^ - ^  (c^,5fc)term} 

U  {5051  ...5,t5  I  (co,5o)  ^  (ci,5i)  - ^  (cfc, 5,t)dead} 

U  {5051  ...5^...  I  (co,5o)  (ci,5i)  ^ - ^  {ck,Sk)  ^  is  fair}, 


where  we  define  5*5  =  {5o5i .  ..Sk^  \  V/  G  Q..k.  si  G  5} 


o 


The  state  trace  behavior  9v[  incorporates  the  assumption  that  a  program  is  a  closed  system 
(that  is,  no  external  communication  is  permitted)  and  that  an  observer  can  detect  each  and 
every  state  change.  This  notion  of  behavior  captures  exactly  the  information  necessary  for 
reasoning  about  the  linear-time  temporal  logic  properties  of  programs;  the  assumption  that 
every  state  change  is  detectable  corresponds  to  the  inclusion  of  a  next-time  operator  in  the 
temporal  logic.  Finally,  this  behavior  reflects  the  assumption  that  deadlock  is  distinguishable 
both  from  successful  termination  and  from  infinite  chattering. 

A  semantics  is  sound  with  respect  to  a  given  notion  of  behavior  if  whenever  two  terms 
have  the  same  meaning,  they  induce  the  same  behaviors  in  all  program  contexts.  Thus,  when¬ 
ever  a  sound  semantics  identifies  two  terms,  either  term  can  always  be  substituted  for  the  other 
in  any  program  without  affecting  the  program’s  observable  behavior.  However,  when  a  sound 
semantics  gives  different  meanings  to  program  terms,  the  terms  may  or  may  not  be  safely  inter¬ 
changeable:  they  may  have  different  meanings  either  because  they  induce  different  behaviors 

^To  be  more  precise  and  pedantic,  each  context  should  be  tagged  with  a  label  that  indicates  whether  the  hole 
takes  guards  or  commands  and  a  set  of  identifiers  that  are  forbidden  to  be  free  in  any  command  filling  the  hole. 
For  example,  the  context  ([— ]  skip  ||  x:=l)  would  be  tagged  to  indicate  that  it  accepts  guards  that  do  not  have 
free  identifier  x. 
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in  some  program  context  or  because  the  semantics  provides  too  low  a  level  of  abstraction.  For 
example,  the  semantics  that  maps  each  term  to  its  own  syntactic  representation  is  sound  for  any 
notion  of  program  behavior,  but  it  is  not  very  useful:  two  terms  have  the  same  meaning  in  this 
semantics  if  and  only  if  they  are  identical,  and  hence  they  necessarily  behave  the  same  in  all 
program  contexts. 

A  semantics  is  (equationally)  fully  abstract  [Mil75]  with  respect  to  a  notion  of  behavior 
if  it  assigns  two  terms  the  same  meaning  exactly  when  they  induce  the  same  behaviors  in  all 
program  contexts.  A  fully  abstract  semantics  faithfully  captures  Morris-style  contextual  equiv¬ 
alence  [Mor68],  identifying  two  terms  if  and  only  if  they  are  contextually  equivalent.  Thus  a 
fully  abstract  semantics  makes  precisely  the  right  distinctions  and  retains  just  enough  detail  to 
support  compositional  reasoning  about  the  given  behavior.  When  the  semantic  and  behavioral 
domains  both  come  equipped  with  approximation  orderings,  we  can  also  speak  of  a  stronger 
property  called  inequationalfull  abstraction:  a  semantics  is  inequationally  fully  abstract  with 
respect  to  a  notion  of  behavior  provided  that  the  meaning  of  a  term  c  approximates  that  of  c' 
exactly  when  the  behavior  of  c  approximates  that  of  c'  in  all  program  contexts.  Inequational 
full  abstraction  necessarily  implies  equational  full  abstraction. 


4.2  Closed  Trace  Sets 

The  semantics  %  introduced  in  Chapter  3  is  sound  with  respect  to  9v[ :  for  all  commands  c  and 

c', 

%M  =  %m  ^P[-]MlP[c]i  =  MlP[c']l 

The  soundness  of  %  for  follows  directly  from  the  compositionality  of  %,  the  monotonicity 
of  the  semantic  operators,  and  the  fact  that  the  state  traces  in  each  71f[[P[c]]]  correspond  to  the 
traces  of  P[c\  that  contain  only  8-transitions.  However,  %  is  not  fully  abstract  with  respect  to 
TVf,  because  it  makes  distinctions  between  programs  that  behave  equivalently  in  all  contexts. 
These  inappropriate  distinctions  arise  because  certain  combinations  of  traces  convey  exactly 
the  same  information  as  do  certain  other  combinations. 

For  example,  consider  the  following  commands  C\  and  C2: 

Cl  =  (a!0^  b!0)n(a!0^c!0), 

C2  =  (a!0^b!0)n(a!0^c!0)n(a!0^(b!0nc!0)). 

The  traces  tpp  =  ((5,  a!0,5),  ({b!,c!},  {b!,c!},p))  andtpy  =  ((5,  a!0,5)(5,  b!0,5),  (0,  {a!,  b!,c!},f )) 
are  both  possible  for  C2  but  not  for  Ci.  However,  the  two  commands  behave  identically  in  all 
program  contexts:  after  performing  an  a!0,  each  command  may  perform  b!0  or  c!0,  and  each 
command  may  refuse  either  one  of  these  actions  (but  not  both).  That  C2  can  enable  each  of  b! 
and  c!  along  the  same  computation  is  not  directly  observable:  any  behavior  possible  when  both 
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are  enabled  is  also  possible  when  only  one  of  them  is  enabled.  In  essence,  the  partial  trace  cpp 
conveys  no  information  that  is  not  already  conveyed  by  the  partial  traces 

(pi  =  ((5,a!0,5),({b!},{b!},p))  and  (p2  =  ((5,a!0,5),  ({c!},  {c!},p)), 

both  of  which  are  possible  for  C\  as  well  as  for  C2.  More  generally,  the  information  provided 
by  the  combination  of  partial  traces  (a,  (Fi,£'i,p))  and  (a,  (F2,£'25p))  encompasses  any  infor¬ 
mation  provided  by  the  partial  trace  (a,  (Fi  UF2,£'i  UF25  p))-  Consequently,  it  is  safe  to  assume 
that  the  latter  trace  exists  in  any  trace  set  that  contains  the  first  two.  Likewise,  the  finite  trace 
cp/  above  conveys  no  more  information  than  that  conveyed  by  the  finite  trace 

((5,a!O,5)(5,b!O,5),(0,{a!,b!},f)), 

which  is  possible  for  both  Ci  and  C2.  More  generally,  it  is  safe  to  assume  that  the  finite  or 
infinite  trace  {a,{F',E',R))  is  in  any  trace  set  containing  the  trace  {a,{F,E,R)),  provided 
E  C  E\F  C  F' ,  and  R  G  {f ,  i}. 

A  similar  situation  arises  with  the  following  guarded  commands  C3  and  C4: 

C3  =  (a!0^  b!0)n(a!0^  (b!0nc!0nd!0)) 

C4  =  (a!0^  b!0)n(a!0^  (b!0nc!0nd!0))n(a!0^  (b!0nc!0)). 

The  two  partial  traces 

(pi  =  ((5,a!0,5),({b!},{b!},p)),  (p2  =  ((5,a!0,5),  ({b!,  c!,d!},  {b!,c!,  d!},p)) 

are  possible  for  both  C3  and  C4,  but  the  partial  trace  (p  =  ((5,a!0,5),  ({b!,c!},  {b!,c!},p))  is 
possible  only  for  C4.  However,  for  reasons  similar  to  those  above,  the  two  commands  behave 
the  same  in  all  program  contexts.  Any  information  conveyed  by  the  trace  (p  is  also  conveyed  by 
the  combination  of  traces  (pi  and  (p2,  both  of  which  are  possible  for  C3  and  C4.  More  generally, 
the  combination  of  partial  traces 

(a,(Fi,Fi,p))  and  (a,  (F2,F2,p)) 

encompasses  any  information  conveyed  by  the  partial  trace  (a,  (F,£',p)),  provided  Fi  C  F  C 
El,  Fi  C  F  C  El,  and  F  ^  E. 

Similar  observations  led  to  the  imposition  of  saturation  closure  conditions  in  Hennessy’s 
acceptance  trees  model  [Hen85]  and  downwards  and  convex  closure  conditions  for  refusal  sets 
in  the  failures  model  for  CSP  [BHR84].  The  need  for  these  closure  conditions  arises  from  our 
desire  to  model  deadlock  and  is  orthogonal  to  our  attempts  to  model  fairness.  However,  other 
fairness-related  difficulties  also  arise,  due  to  the  interactions  between  traces’  fairness  sets  F 
and  enabling  sets  E. 
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To  understand  why,  recall  that,  in  the  infinite  trace  (a,  {F^E^  i)),  the  set  F  represents  con¬ 
straints  on  the  type  of  context  in  which  a  will  represent  a  fair  transition  sequence,  and  the  set 
E  indicates  which  directions  are  enabled  infinitely  often  along  that  sequence.  Therefore,  dis¬ 
tinguishing  between  a  process  with  the  trace  (a,  {F^E^  i))  and  one  with  the  trace  (a,  {F^E' ^  i)) 
requires  a  context  with  a  subcomponent  Q  that  can  be  enabled  infinitely  by  E  but  not  E'  (or 
vice  versa).  When  placed  in  such  a  context,  one  process  can  perform  a  fairly  while  Q  blocks, 
whereas  the  other  process  cannot  perform  a  without  eventually  synchronizing  with  Q.  For 
example,  suppose  that  the  command  C  (but  not  C')  has  the  trace  (a,  (0,  {a!,  b!},  i))  and  that  C' 
has  the  trace  (a,  (0,  {a!,  b!,  c!},  i)).  The  two  commands  can  be  distinguished  by  a  context  like 
the  following: 

P[-]  =  ([-]  II  c?x^flag:=l)\c. 

The  program  P[C\  has  a  fair  behavior  in  which  C  performs  the  transition  sequence  a  and  in 
which  the  identifier  flag  never  gets  set  to  1.  In  contrast,  P[C']  has  no  such  behavior:  if  C'  tries 
to  perform  the  sequence  a,  the  context’s  guard  c?x  will  be  enabled  infinitely  often,  thereby 
forcing  a  synchronization  that  leads  to  flag  getting  set  to  the  value  1. 

Distinguishing  a  process  with  trace  (a,  {F^E^  i))  from  one  with  trace  (a,  {F',E,  i))  requires 
a  different  approach.  In  particular,  the  context  must  enable  some  direction  in  F  or  F'  (but 
not  both)  infinitely  often  (without  becoming  blocked  itself),  thereby  providing  infinitely  many 
synchronization  opportunities  to  a  previously  blocked  mod  F  (or  F')  subcomponent  of  one  of 
the  processes.  For  example,  recall  the  commands  C,  Ci  ||C2  and  Cp  from  Example  3.1.4: 

C  =  while  true  do  (alODbll), 

Ci||C2  =  (while  true  do  a!0)  II  (b  !1  ^  while  true  do  b!l), 

Cp  =  while  true  do  (a!0nb?z). 

Letting  a  =  [(5, 8, 5) (5, all, 5)]“,  the  commands  C  and  Ci||C2  have  (respectively)  the  traces 
(a,  (0,  {a!,  b!},  i))  and  (a,  ({b!},  {a!,  b!},  i)).  The  context 

([— ]  II  while  true  do  (a!0nb?z))\b 

can  distinguish  these  commands,  because  the  b?z  command  appears  within  a  guarded  choice. 
The  context’s  infinite  enabling  of  b?  is  sufficient  to  force  Ci  ||C2  to  synchronize  on  channel  b, 
and  yet  C  may  refrain  fairly  from  using  b  at  all. 

Bearing  these  considerations  in  mind,  we  now  consider  two  more  commands  that  behave 
the  same  in  all  program  contexts  and  yet  have  different  meanings  under  the  semantics  %: 

C5  =  (a!0^b!0^c!0)n(a!0^b?x)n(a!0^(b!0nb?x)), 

Ce  =  (a!0^b!0^c!0)n(a!0^b?x)n(a!0^(b!0nb?x))n(a!0^b!0). 
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These  commands  exhibit  the  same  potential  for  deadlock  (i.e.,  they  share  the  same  partial 
traces),  and  they  can  perform  the  same  sequences  of  communications.  The  only  potential  dif¬ 
ference  between  these  commands  is  that  C(,  can  perform  the  successfully  terminating  sequence 
of  actions  [a!0  b!0]  without  enabling  input  on  channel  b.  This  potential  difference  is  reflected 
in  their  trace  sets:  the  trace  cp  =  ((5,a!0,5)(5,  b!0,5),  (0,  {a!,  b!,  b?},f))  is  possible  for  both  C5 
and  C6,  whereas  the  trace  cp'  =  ((5,a!0,5)(5,  b!0,5),  (0,  {a!,  b!},f ))  is  possible  only  for  C(,.  As 
a  result,  the  only  possible  way  to  distinguish  C(,  from  C5  is  to  distinguish  cp'  from  cp,  which  re¬ 
quires  an  argument  based  on  fairness.  In  particular,  distinguishing  between  C(,  and  C5  requires 
a  context  that  allows  each  Q  to  repeatedly  perform  a!0  followed  by  b!0,  while  permitting  an 
observer  to  determine  when  the  direction  b?  is  enabled  only  finitely  often  along  the  infinite 
computation.  Therefore,  any  potential  distinguishing  context  must  have  at  least  the  following 
three  separate  components: 

1.  A  loop  that  repeats  the  relevant  Q  infinitely  many  times. 

Intuitively,  when  Q  is  placed  in  this  loop,  it  can  repeatedly  perform  a!0  followed  by  b!0, 
without  ever  enabling  the  direction  b?.  In  contrast,  when  C5  is  placed  in  this  loop  and 
performs  the  same  sequence  of  actions,  it  necessarily  enables  b?  infinitely  often. 

2.  A  component — placed  in  parallel  with  the  aforementioned  loop — that  can  block  only 
when  b?  is  not  enabled  by  the  relevant  Q  infinitely  often. 

To  block  when  b?  is  enabled  only  finitely  often,  this  component  must  contain  a  guard 
that  blocks  when  trying  to  perform  output  on  channel  b.  Because  blocking  can  happen 
only  when  synchronization  is  required,  both  this  component  and  the  loop  must  appear  in 
the  scope  of  channel  restriction  on  channel  b. 

3.  A  component  that  repeatedly  offers  input  opportunities  for  each  of  the  loop’s  attempted 
b!0  actions. 

The  loop  has  communication  on  channel  b  restricted  and  yet  needs  to  perform  the  action 
b!0  infinitely  often.  Consequently,  it  requires  an  additional  component  that  repeatedly 
offers  input  opportunities  on  channel  b,  thus  permitting  synchronization. 

Consequently,  any  distinguishing  context  must  have  the  following  general  form: 

(while  true  do  [— ]  ||  b!0  ^  flag:=l  |]  while  true  do  b?v)\b. 

However,  the  second  component  (which  is  intended  to  block  in  certain  situations)  is  always 
provided  infinitely  many  synchronization  opportunities  by  the  third  component.  As  a  result, 
it  can  never  become  permanently  blocked,  regardless  of  whether  C5  or  C(,  is  inserted  into  the 
context.  In  effect,  Cs’s  enabling  (but  non-use)  of  b?  is  obscured  by  Cs’s  use  of  the  matching 
direction  b!.  Because  every  possible  distinguishing  context  must  have  the  same  general  form. 


4.2  Closed  Trace  Sets 
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C5  and  Ce  are  behaviorally  indistinguishable.  More  generally,  a  trace  set  containing  the  finite  or 
infinite  trace  tp  =  (a,  (F,£'UX,7?)),  withXnvis(a)  =  0  andX  C  vis(a),  cannot  be  distinguished 
from  one  that  also  contains  the  trace  (a,  {F,E,R)). 

The  final  source  of  inappropriate  distinction  arises  from  pairs  of  traces  whose  fairness  and 
enabling  sets  conflict  with  one  another.  For  example,  consider  the  commands  C7  =  Gi  □  G2 
and  Cs  =  Gi  □  G2  □  G3,  where  the  guarded  commands  Gi,  G2,  and  G3  are  defined  as  follows: 

Gi  =  b!0  ^  while  true  do  (b!0na?xna!0) 

G2  =  b!0  ^  ((while  true  do  b!0)  II  (a?x  ^  while  true  do  a?x)) 

G3  =  b!0  ^  while  true  do  (b!0na?x). 

Letting  a  represent  the  simple  trace  [(5,  b!0,5)(5,8,5)]“,  the  trace  sets  of  C7  and  Cs  both 
contain  the  traces  tpi  =  (a,  (0,  {b!,a?,  a!},  i))  and  92  =  (a,  ({a?},  {b!,a?},  i)),  but  the  trace 
93  =  (a,  (0,  {b!,a?},  i))  is  possible  only  for  Cg.  To  distinguish  between  C7  and  Cg  requires 
a  context  in  which  93  can  be  distinguished  from  both  91  and  92  at  the  same  time.  As  dis¬ 
cussed  previously,  distinguishing  93  from  91  requires  a  context  that  places  the  relevant  Ci  in 
parallel  with  a  component  that  blocks  while  trying  to  perform  input  on  channel  a.  In  contrast, 
distinguishing  93  from  92  requires  a  context  that  places  the  relevant  Ci  in  parallel  with  a  com¬ 
ponent  that  enables  output  on  channel  a  infinitely  often  and  yet  does  not  block.  Therefore,  any 
distinguishing  context  for  the  commands  C7  and  Cg  must  contain  both  of  these  components 
running  in  parallel,  one  continuously  attempting  to  perform  input  and  the  other  repeatedly 
offering  matching  output.  In  such  a  context,  the  intended  “blocking”  component  is  enabled 
infinitely  often  by  the  second  component,  regardless  of  which  command  is  inserted.  Thus,  no 
context  can  possibly  distinguish  the  commands  C7  and  Cg.  More  generally,  whenever  the  traces 
(a,  (F  U  i))  and  (a,  {F^EU  {d},  i))  are  in  a  trace  set  T,  it  is  impossible  to  determine 

whether  (and  it  is  safe  to  assume  that)  the  trace  (a,  {F^E^  i))  is  in  T  as  well. 

We  formalize  these  observations  by  imposing  the  following  closure  conditions  on  trace  sets. 

Definition  4.2.1  Given  a  fair  trace  set  T ,  the  closure  of  T  (written  T^)  is  the  smallest  set 
containing  T  and  satisfying  the  following  conditions: 

•  Union:  If  (a,  (F’i,£’i,p))  and  (a,  {F2,E2,^))  are  in  T\  then  (a,  (Fi  \JF2,E\  U£’2,p))  is  in 
T^. 

•  Convexity:  If  (a,  (Fi,£'i,p))  and  (a,  (F2,£’2,p))  are  in  T\  E\CEC  E2,  FiCFC  F2, 
and  F  ^  E,  then  (a,  {F,E,p))  is  in  T\ 

•  Superset:  If  (a,  {F,E,R))  is  in  T^,  R  e  {f ,  i},  F  C  F',  and  E  C  E' ,  then  (a,  {F' ,E' ,R)) 
is  in  TK 

•  Displacement:  If  (a,  (F’,£’U  A,i?))  is  in  T\  R  e  {f,  i},  Anvis(a)  =  0,  and  A  C  vis(a), 
then  (a,  {F^E^R))  is  in  T^. 
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•  Contention:  If  (a,  {F  U  {d}^E^  i))  and  (a,  {F^E\J  {d},  i))  are  in  T\  then  (a,  (F,^,  i)) 
is  in  TK  o 

Closure  is  obviously  monotonic  (if  Ti  C  T2,  then  C  T^)  and  idempotent  {T^  = 

Moreover,  any  trace  introduced  by  a  closure  condition  has  the  same  tag  as  the  trace(s)  that  led 
to  its  introduction:  for  example,  convexity  introduces  partial  traces  when  certain  partial  traces 
are  in  the  set,  and  contention  introduces  infinite  traces  when  certain  infinite  traces  are  in  the  set. 

As  a  result,  if  the  sets  Tf,  Tp  and  Ti  contain  only  finite,  partial  and  infinite  traces,  respectively, 
then  {Tf  U  U  7])^  =  F^  U  F^  U  .  We  use  this  fact  in  many  subsequent  definitions. 

As  we  shall  see  in  Section  4.4,  these  closure  conditions  are  precisely  what  is  needed  to 
obtain  full  abstraction.  Let  CP^^>  be  the  set  of  closed  sets  of  fair  traces.  We  define  a  closed 
trace  semantic  function  :  Com  ^  denotationally,  modifying  the  semantic  equations 
given  for  %  in  Definition  3.3.1  by  building  the  closure  property  into  each  clause.  Letting 
=  ‘2([[d]]’*',  we  define  as  follows. 

Definition  4.2.2  The  closed  trace  semantic  function  F^  :  Com  ^  is  defined  by: 

F/ttskip]]  =  {((^,8,^),  (F,0,f))  I  5  e  5  &  F  e  yfin(A)}^ 
U{(8„(F,{8},p))|^eS&FD{8}}^ 

[5|/  =  n]),(F,0,f))  | 

fv[[/:=e]]  C  dom(5)  &  F  e  CPfin(A)  &  {s,n)  e 
U  {(8^,  (F,  {8},p))  I  fv[[/:=el]  C  dom(5)  &  F  D  {8}}'*' 

Z^then  ci  else  C2]]  =  UF/[hZ7j;F/[[C2]])’’' 

F/Iwhile  b  do  c]]  =  ((F;M;F;[[cD“U  (F;M;F;[c]])*;F;M])^ 

Fj'llhli^  =  {{{s,hln,[s\i  =  n]) ,  {F,  {h?},f))  \  i  ^  dom(5)  &  n  elj  &  F  e  CPfin(A)}^ 
U  {(8„  (F,  {fi?},p))  I  i  e  dom(5)  &  F  D 
%^lh\e}  =  |  {s,n)  e  Fje]]  &  ^  e  Tfin(A)}^ 

U{(8^,  (F,{fi!},p))  I  fv[Ie]]  C  dom(5)  &  F  D  {fi!}}’*' 

'2;n[g^c]]  =  (F;fe]];F;ic]])t 

F/[gci  □gC2]]  =  (F/Igcj 

'r;ttciiic2]]  =  (F;icj||F;[[c2]])' 

F;[[c\fi]]  =  (F;ic]]\fi)t. 
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For  all  commands  c,  ‘2^^[[c]]  is  precisely  the  closure  of  ‘IJlIc]]:  that  is,  for  all  commands 
c,  =  (‘2i[[c]])^.  Proving  this  fact,  however,  requires  a  detour  provided  by  the  following 

section.  In  particular,  the  obvious  inductive  proof  requires  that  we  prove  that 

(T/IciiiT/iM)*  =  =  (‘r.tilll'EM)*. 

Although  this  equality  holds,  we  can  prove  it  only  by  referring  to  particular  properties  of  the 
trace  sets  ‘2^[Ici]]  and  ‘IJ[Ic2l]:  the  property  =  (ri||r2)’*'  does  not  hold  for  arbitrary 

trace  sets.  For  example,  consider  the  following  two  trace  sets: 

Ti  =  {(ai,(&,{d,d,e},i)),  (ai, ({d}, {d,e}, i))}, 

Ti  =  {(a2,({d},0,{d,d},i))}- 

The  set  (Ti  ||r2)^  is  empty,  because  the  single  trace  in  T2  is  not  mergeable  with  either  trace  in 
Ti.  However,  it  is  mergeable  with  the  trace  (ai,  (0,  {d,e},  i)),  which  is  in  by  contention, 
and  hence  {T^  ||  r2^)^  is  not  empty. 

4.3  Computational  Feasibility 

For  any  command  c,  the  trace  set  ‘2^[[c]]  necessarily  satisfies  certain  properties  that  an  arbitrary 
trace  set  may  not.  These  properties  stem  from  the  nature  of  programs,  computations,  and  the 
definition  of  parameterized  fairness.  Several  of  these  properties  are  essential  for  proving  full 
abstraction  and  hence  are  worth  making  explicit. 

Because  every  successfully  terminating  computation  is  fair  mod  0,  the  trace  (a,  (0,£',f)) 
is  in  Ti[[c]]  whenever  any  trace  (a,  {F,E,f  ))  is.  Similarly,  because  a  fair  mod  F  computation 
is  also  fair  mod  F'  for  all  {a,{F',E,R))  is  in  ‘2j[[c]]  whenever  {a,{F,E,R))  is  in  ‘2^[[c]]  and 
F'  D  F. 

A  partial  computation  with  final  configuration  {c,s)  is  fair  mod  F  if  and  only  if  F  ^ 
inits(c,5).  In  particular,  if  E  =  inits(c,5),  then  the  computation  is  blocked  mod  E  but  not 
blocked  E'  for  any  E'  c  F.  As  a  result,  the  trace  (a,  p))  is  in  fZ^Jc]]  whenever  any  trace 

(a,  (F,£',p))  is  in  %\c\  Similarly,  the  trace  (a,  (F,£',p))  is  in  %\c^  whenever  F  ^  E  and 
(a,  (F,F,p))is  in%lci. 

The  remaining  properties  concern  the  relationships  between  a  computation’s  infinitely  en¬ 
abled  directions,  infinitely  used  directions,  and  blocked  processes.  The  directions  that  are  used 
in  visible  communications  infinitely  often  along  a  computation  are  clearly  enabled  infinitely 
often.  As  a  result,  for  any  trace  (a,  {F,E,  i))  in  it  must  be  that  vis(a)  C  E.  Similarly,  no 
process  can  become  blocked  while  capable  of  using  a  direction  that  is  used  infinitely  often  by 
some  other  process:  if  a  fair  mod  (F  U  A)  computation  uses  the  directions  in  X  infinitely  often. 
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then  the  computation  must  also  be  fair  mod  F .  Therefore,  whenever  the  trace  (a,  {F\JX^E^  i)) 
is  in  and  X  C  vis(a),  the  trace  (a,  (F,^,  i))  also  must  be  in  ‘2^[[c]].  Moreover,  the  set 
of  directions  enabled  infinitely  often  along  a  computation  provide  an  upper  bound  on  the  di¬ 
rections  on  which  processes  are  permanently  blocked:  if  a  fair  mod  (F  UX)  computation  has 
infinitely  enabled  directions  E  and  X  flF  =  0,  then  no  blocked  mod  (F  UX)  process  can  actu¬ 
ally  used  the  directions  in  X,  and  thus  the  computation  is  also  fair  mod  F.  As  a  result,  it  is  safe 
to  remove  the  set  X  from  the  trace  (a,  (F  U  X ,  F,  i) )  in  *2^ [[c]]  whenever  X  fi  F  =  0. 

The  final  property  is  subtle  but  extremely  important.  Intuitively,  a  trace  with  form 

(a,  (F  U  {d},F  U  {d,d},  i)) 

represents  a  computation  p  that  enables  the  directions  d  and  d  (among  others)  infinitely  often 
and  is  fair  mod  F  U  {d}.  Thus  any  subcomponent  of  c  that  is  blocked  mod  (F  U  {d})  along  p 
must  be  blocked  in  a  configuration  in  which  its  only  transitions  involve  the  directions  F  U  {d}. 
If  we  assume  that  d  ^  F,  then  any  process  capable  of  using  direction  d  has  infinitely  many 
opportunities  to  synchronize,  because  the  matching  direction  d  is  also  enabled  infinitely  often. 
Therefore,  any  subcomponent  blocked  mod  F  U  {d}  must  also  be  blocked  mod  F,  and  hence 
the  computation  is  also  fair  mod  F.  As  a  result,  the  trace 

(a,  (F,FU  {d,d},  i)) 

must  be  in  the  set  ‘2^[[c]]  whenever  the  original  trace  is.  However,  once  we  start  considering  the 
closed  trace  set  ‘2^^[[c]],  we  need  to  account  for  the  possibility  that  the  trace 

(a,  (F  U  {d},F  U  {d,d},  i)) 

is  in  (‘2^[[c]])'*'  by  superset  closure  from  the  trace  (a,  (F  U  {d},F  U  {d},  i))  in  TJdc]]. 

There  are,  of  course,  other  general  properties  that  are  true  for  all  sets  %\c\\  that  are  not 
incorporated  into  the  following  definition  of  computational  feasibility .  The  properties  that 
are  included  suffice  for  proving  that  ‘2^^[[c]]  =  for  all  commands  c  and  that  is  fully 

abstract. 

Definition  4.3.1  A  fair  trace  set  T  is  computationally  feasible  if  it  satisfies  the  following 
properties: 

•  If  the  trace  (a,  (F,F,f))  is  in  T,  then  the  trace  (a,  (0,F,f))  is  in  T . 

•  If  the  trace  (a,  (F,F,F))  is  in  F,  F  e  {f,  i},  andF  C  F',  then  (a,  (F',F,F))  is  in  T . 

•  The  trace  (a,  (F,  F,  p))  is  in  T  if  and  only  if  F  3  F  and  the  trace  (cx,  (F,F,  p))  is  in  T . 

•  If  the  trace  (a,  (F,F,  i))  is  in  F,  then  vis(a)  C  E. 
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•  If  the  trace  (a,  {F\JX^E^  i))  is  in  T  and  X  C  vis(a),  then  the  trace  (a,  {F^E^  i))  is  in  T . 

•  If  (a,  (FUXjF,  i))  is  in  T  andX FE  =  0,  then  (a,  {F^E^  i))  is  in  T . 

•  If  (a,  {F  U  {d},  F  U  {d,  d},  i))  is  in  T  and  d  ^  F,  then  at  least  one  of  the  traces 

(a,  (F,£'U  {d,d},  i))  and  (a,  (FU  {d},£'U  {d},  i))  is  in  T.  o 

The  following  lemma  shows  that  the  definition  of  computational  feasibility  indeed  captures 
general  properties  of  commands’  trace  sets. 

Lemma  4.3.2  For  all  commands  c,  is  computationally  feasible. 


Proof:  By  a  straightforward  but  tedious  induction  on  the  structure  of  c.  To  give  a  flavor  of 
the  proof,  we  prove  that  TJdci  ||c2l]  satisfies  the  sixth  condition:  if  (a,  {FUX^E^  i))  is  in 
t;[Ici||c2I]  andXriF  =  0,  then  (a,  (F,F,i))is  in ‘2;[Ici||c2]]. 

Suppose  that  cp  =  (a,  (F UX,^,  i))  is  in  ‘dJUci ||c2]]  and  that  XFE  =  %.  By  definition  of 
parallel  composition,  there  exist  traces 

=  (OCl,  (Fi,£'i,i?i))  e  (P2  =  (a2,  {F2,E2,R2))  e  %lc2'^ 

such  that  (cpi ,  92, 9)  ^fairmerge.  At  least  one  of  91 , 92  is  infinite;  without  loss  of  gener¬ 
ality,  we  assume  that  91  is  infinite.  As  a  result,  we  know  that  (F  U  A)  ^  UT2  and  that 
E  =  Ei  (if7?2  =  f)orF  =  FiU£'2  (ifi?2^f)- 

Because  XFE  =  %  and  E  F  Ei,  we  know  that  E\  fl  A  =  0  (and  E2FX  =  0  if  i?2  7^  f  )•  By 
the  inductive  hypothesis,  ‘dJUci]]  and  ‘2([[c2]]  are  computationally  feasible,  and  hence 

9;  =  (ai,(Fi  -A,Fi,i))  e  %lcil  9^  =  {a2,{F2-X,E2,R2))  e  %lc2l 

(The  existence  of  92  follows  because  either  i?2  =  f  (in  which  case  any  choice  of  F  is  per¬ 
missible  for  92)  or  £2  HA  =  0.)  Letting  9'  =  (a,  {F,E,  i)),  it  follows  that  (9^  9^,  9')  G 
fairmerge,  and  hence  9'  is  in  d^Uci]]  ||‘2^[[c2l]  =  [[<^1 1^2]]  as  required.  ■ 


The  following  two  lemmas  show  that  closure  preserves  computational  feasibility  and  dis¬ 
tributes  over  the  various  semantic  operators  when  applied  to  computationally  feasible  trace 
sets. 

Lemma  4.3.3  If  the  trace  set  T  is  computationally  feasible,  then  is  also  computationally 
feasible. 
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Proof:  By  a  straightforward  but  tedious  case  analysis  showing  that  each  possible  trace  intro¬ 
duced  by  closure  respects  computational  feasibility.  To  give  a  flavor  of  the  proof,  we 
show  that  displacement  preserves  the  final  property  of  the  definition  of  computational 
feasibility. 

Let  T  be  a  computationally  feasible  trace  set,  and  let  cp  =  (a,  (FU  {(i},£'U  {d,d},  i))  be 
a  trace  of  that  arises  by  displacement  from  one  of  F’s  traces 

(a,  (FU  {d},FU  {d,d}  UT,  i)), 

where  Y  nvis(a)  =  0  and  Y  C  vis(a).  We  need  to  show  that  also  contains  either 
cp'  =  (a,  (F,FU  {d,d},  i))  or  cp"  =  (a,  (FU  {d},FU  {d},  i)). 

Because  T  is  computationally  feasible,  we  know  that  vis(a)  C  FU  {d,d}  and  that  T  also 
contains  at  least  one  of  the  following  two  traces: 

(a,  (F,FU  {d,d}  UT,  i)),  (a,  (FU  {d},FU  {d}UT,  i)). 

It  follows  by  displacement  that  contains  either  cp'  or  cp"  as  required.  ■ 

Lemma  4.3.4  For  all  computationally  feasible  trace  sets  T,  Ti  and  T2,  the  following  properties 
hold: 


(Fi;F2)^  =  (F/;F;)t 

{T*)^  = 

II 

(FiUF2)^  =  (f/uf/)^ 

(r,||r,)f  =  01172*) 

(FinF2)^  =  (F/nF2^)+ 

Proof:  In  general,  the  proof  of  each  property  is  based  on  a  simple  case  analysis  that  shows 
that  whenever  a  trace  is  in  0  T2  (for  each  relevant  operator  0),  the  trace  is  also  in 
(Fi  0  T2)^ .  Because  closure  is  monotonic  and  idempotent,  it  follows  that  {T^  0  = 

(7’i0F2)t. 

The  following  result  shows  that,  for  all  commands  c,  the  meaning  given  to  c  by  the  closed 
trace  semantics  is  exactly  the  closure  of  %\c\ 

Proposition  4.3.5  For  all  commands  c,  =  ‘JJHc]]'*'. 

Proof:  By  a  straightforward  induction  on  the  structure  of  c,  using  the  properties  of  Lemma  4.3.4. 
For  example,  the  case  for  parallel  composition  proceeds  as  follows,  relying  on  the  induc¬ 
tive  hypothesis  that  for  each  i: 

T/llcM  =  (T/til  II  Ulfc]])*  =  II 

=  CJIciIIITJcjI)*  =  ■S||ci||c2f. 
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4.4  Full  Abstraction  for  the  Behavior  M 

In  this  section,  we  prove  that  the  semantics  *2^^  is  fully  abstract  with  respect  to  the  state  trace 
behavior  M:  %  gives  identical  meanings  to  two  program  terms  if  and  only  if  they  exhibit 
the  same  state  trace  behaviors  in  all  program  contexts.  We  begin  with  some  definitions  and 
necessary  lemmas. 

Definition  4.4.1  An  element  tp  =  (a,  {F,E,R))  of  a  trace  set  T  is  minimal  if  for  every  cp'  = 
(a,  {F',E',R))  mT,{F'  CF  &E'  CE)  (p  =  tp'.  o 

Thus  a  finite  or  infinite  trace  tp  G  T  is  minimal  if  there  is  no  trace  tp'  G  T  that  would  yield  tp 
through  closure  under  subset;  a  partial  trace  tp  =  (a,  {F,E,-p))  G  T  is  minimal  if  F  =  E  and 
every  other  partial  trace  tp'  =  (a,  {F',  E\  p))  in  T  has  a  direction  d  &  E'  —  E.  A  closed  trace  set 
is  uniquely  characterized  by  its  set  of  minimal  traces:  each  of  its  finite  or  infinite  traces  can  be 
obtained  from  minimal  traces  by  superset  closure,  and  every  partial  trace  can  be  obtained  by  a 
combination  of  union  and  convex  closure. 

For  a  trace  set  T  and  a  simple  trace  a,  it  is  often  necessary  to  talk  about  the  (minimal) 
traces  of  T  with  the  simple  component  a.  In  the  following  definition,  we  concern  ourselves 
only  with  infinite  traces  a;  clearly,  a  similar  definition  can  be  given  for  finite  traces  a,  as  well 
as  a  distinction  between  successful  and  partial  a-traces. 

Definition  4.4.2  Let  T  be  a  trace  set.  The  set  min(r,  a)  is  the  set  of  minima!  (nonpartial) 
a-traces  in  T ;  that  is,  min(r,  a)  =  {tp  =  (a,  {F,E,R))  \  (p  is  minima!  inT  &  2?G{f,i}}.o 

The  minimal  traces  of  a  computationally  feasible  trace  set  all  satisfy  certain  conditions 
relating  the  fairness  set  F  to  the  enabling  set  E.  For  a  minima!  finite  trace  tp  =  (a,  {F^E^f)), 
the  set  F  is  necessarily  empty;  for  any  minima!  partial  trace  tp  =  (a,  (FjFjp)),  it  must  be  the 
case  that  F  =  E.\f  the  infinite  trace  tp  =  (a,  (F, F,  i))  is  minimal  in  a  computationally  feasible 
trace  set,  then  FEE,  because  directions  enabled  only  finitely  often  do  not  introduce  fairness 
constraints.  Moreover,  if  the  direction  d  is  in  the  set  F  (representing  a  fairness  constraint  of 
some  component),  then  either  d  is  also  in  F  (indicating  that  exactly  one  subcomponent  enables 
each  of  d  and  d,  with  insufficient  synchronization  opportunities)  or  d  is  not  enabled  infinitely 
often.  We  call  infinite  traces  that  satisfy  these  criteria  potentially  minimal. 

Definition  4.4.3  An  infinite  trace  tp  =  (a,  {F,E,  i))  is  potentially  minimal  ifFEE  and,  for 
all  directions  d  E  F,  d  E  F  <;=>  d  E  E.  o 

Every  potentially  minimal  trace  tp  is  a  minimal  trace  of  some  computationally  feasible  trace  set 
T ;  in  particular,  tp  is  a  minimal  trace  of  the  computationally  feasible  trace  set  {cp}^.  Moreover, 
every  minimal  trace  of  a  computationally  feasible  trace  set  is  potentially  minimal. 
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Suppose  a  closed,  computationally  feasible  trace  set  T  does  not  contains  the  potentially 
minimal  trace  cp  =  (a,  (F,  F,  i) ) .  If  F  does  contain  other  a-traces  (that  is,  if  min  (F,  a)  7^  0),  then 
each  minimal  trace  (a,  (F^',  F,,  i))  in  F  must  have  an  additional  fairness  constraint  (represented 
by  a  direction  d  e  F^  —  F)  or  enable  an  additional  direction  infinitely  often  (represented  by  a 
direction  d  G  F,-  —  F).  The  idea  is  that,  by  carefully  selecting  one  of  these  fairness  constraints 
di  G  F}  —  F  or  infinitely  enabled  directions  di  E  Ei  —  E  for  each  minimal  cp,,  we  can  construct 
a  context  that  distinguishes  the  trace  cp  from  the  traces  in  F.  For  reasons  similar  to  those 
that  motivated  the  introduction  of  the  contention  closure  condition,  it  is  important  that  none 
of  the  selected  fairness  constraints  matches  any  of  the  selected  infinitely  enabled  directions. 
We  formalize  this  “careful  selection”  as  a  conflict-free  resolution,  as  given  in  the  following 
definition. 

Definition  4.4.4  Let  F  be  a  trace  set  not  containing  the  trace  cp  =  (a,  (F,  F,  i) ) .  A  conflict-free 
resolution  of  F  for  cp  is  a  total  function 

Ji:  min(F,a)  ^  (Ax  {F,E}) 
satisfying  the  following  two  conditions: 

•  For  all  traces  cp,  G  min(F,a), 

fR((p,)  =  (di,  F)  ^  dieEi-E  &  fR((p,')  =  {di,  E)  ^  di  G  F,-  -  F. 


•  For  all  traces  (PoCPj  G  min(F,  a),  cp,  =  (d^F)  &  cpj  =  (dj,E)  =>  ^match(d,,dj).  o 

As  a  consequence  of  the  following  lemma,  a  conflict-free  resolution  of  for  cp  can 

always  be  constructed,  for  any  command  c  and  any  potentially  minimal  trace  cp  ^  [[c]] .  That 

is,  the  necessary  “careful  selection”  is  always  possible.  This  fact  will  be  necessary  for  proving 
full  abstraction. 

Lemma  4.4.5  Let  T  be  a  closed,  computationally  feasible  trace  set  not  containing  the  poten¬ 
tially  minimal  trace  cp  =  (a,  (F,F,  i)).  If  the  set  min(F,  a)  is  finite,  then  there  is  a  conflict-free 
resolution  of  T  for  cp. 

Proof:  Assume  that  min(F, a)  is  finite,  and  let  IR  be  a  total  function  !R  :  min(F, a)  {Ax 
{F,  E})  such  that,  for  all  traces  cp,  G  min(F,  a), 

fR((p,)  =  {di,  F)  ^  dieEi-E  &  fR((p,)  =  {di,  E)  ^  di  G  F,-  -  F. 

We  say  that  IR  has  conflicts  on  channel  h  if  there  exist  traces  cp,-,(pj  G  min(F,  a)  and  a 
direction  d  such  that  fR((p,)  =  (d,  F),  fR((Pj)  =  (d,E),  and  chan(d)  =  h.  We  introduce  a 
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well-ordering  <  on  channels,  and  we  show  that  IR  can  be  transformed  into  a  conflict-free 
resolution  by  removing  conflicts  in  a  systematic  way,  using  the  channel  ordering. 

Suppose  h  is  the  least  channel  on  which  !R  has  conflicts.  There  must  be  traces  cp^  = 
(a,  {Fx,Ex,  i))  and  tpy  =  (a,  {Fy,Ey,  i))  in  min(r,a)  such  that  iR((Px)  =  (d,F),  iR((Py)  = 
{d,  E),  and  chan(d)  =  h.  Exactly  one  of  the  following  cases  must  hold: 

Case:  d 

Because  T  is  computationally  feasible  and  tp^  is  minimal,  it  must  be  that  d  E  Ex  — E 
as  well.  Thus  every  mapping  to  (d,  F)  in  can  be  replaced  by  a  mapping  to  (d,  E) ; 
likewise,  every  mapping  to  (d,F)  can  be  replaced  by  a  mapping  to  (d,E).  The 
resulting  resolution  has  no  conflicts  on  channels  k  <  d  or  on  channel  h. 

Case:  d  eE  and  (d  e  iy  or  d  e  Ex) 

Because  d  e  E,Ji  does  not  map  any  trace  to  the  pair  (d,  E) .  As  a  result,  replacing 
lR((p^.)  or  lR((Px)  (or  both,  when  possible)  by  a  mapping  to  (d,  F)  will  remove  at  least 
one  conflict  on  channel  h,  without  introducing  any  conflicts  on  channels  k  <  h. 

Case:  d  eE  and d  ^Fy  and d  ^Fx 

Because  cp^.  is  minimal,  we  know  that  d  ^  Fy.  Because  T  is  closed  under  superset, 
T  contains  the  traces 

{a,{Fxl}Fy,{Exl}Ey)- {d},\))  and  (a,  ((T^Uiy)  -  {d},E;cU£'y,  i)), 

via  cpx  and  tpy,  respectively.  It  follows  that  the  trace 

(a,  {{Fx\JFy)  -  {d},  {Ex\JEy)  -  {d“},  i)) 

is  in  T  by  contention,  and  thus  there  must  be  some  minimal  trace  cp^  =  (w,  (Fr,  Er,  i) ) 
in  T  such  that  iy  ^  {Ex  U  Fy)  —  {d}  and  Ey  C  {Ex  U  Ey)  —  {d}. 

If  lR((Pr)  =  (e,  E)  (for  some  direction  e),  then  e  E  Er  —  E,  and  hence  e  ^  Ex  —  E 
or  e  e  Ey  —  E.  Likewise,  if  lR((Pr)  =  {e,  F),  then  e  E  Fy-F,  and  hence  e  E  {Ex- 
F)  U  {Fy  —  F).  Thus  at  least  one  of  lR((Px)  and  lR((Py)  can  be  replaced  by  a  mapping 
to  ^R(cpr)  •  This  change  cannot  introduce  any  new  conflicts  on  channels  k  <  h  and 
reduces  the  number  of  conflicts  on  channel  h. 

Because  min(r,  a)  is  finite,  repeating  the  preceding  analysis  eventually  removes  all  con¬ 
flicts  on  channel  h,  without  introducing  any  conflicts  on  any  channel  k  <  h.  Moreover, 
because  there  can  be  only  finitely  many  channels  mentioned  in  the  set  min(r, a),  the 
analysis  must  be  applied  for  only  a  finite  number  of  channels,  eventually  resulting  in  a 
conflict-free  resolution  for  cp.  ■ 

We  can  now  prove  full  abstraction  of  the  semantics  for  the  behavior  fM. 
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Proposition  4.4.6  The  closed  trace  semantics  *2^^  is  inequationally  fully  abstract  with  respect 
to  M:  for  all  commands  c  and  c' , 

T/w  C  t/m  vp[-].r»rip[c]]]  C  Mip[c'\i 

Proof:  The  forward  implication  follows  from  the  compositionality  of  *2^^,  the  monotonicity  of 
operations  on  trace  sets,  and  the  fact  that,  when  C 

=  {states(a)  |  3E.  (a,  (&,E,R))  e  ‘2^^[lP[c]]]  &  2?  G  {f ,  i}  &  chans(a)  =  {e}} 
U  {states(a)5  |  (a,  (0,0, p))  e  ‘2^n[P[c]]]  &  chans(a)  =  {e}} 

C  {states(a)  |  3E.  (a,  (@,E,R)}  e  ‘2^^[lP[c^]]]  &  2?  e  {f ,  i}  &  chans(a)  =  {e}} 
U  {states(a)5  |  (a,  (0,0, p))  e  ‘2^^[[P[c']]]  &  chans(a)  =  {e}} 

=  mp[c% 

[We  write  states  (a)  to  indicate  the  sequence  of  states  encountered  along  a:  for  example, 
if  a  =  (^0,  e,  5i)  (51 , 8, 52)  •  •  •  {sk,  e,  ^/t+i ),  then  states(a)  =  SoSiS2  ■  ■  ■  SkSk+i-] 

For  the  reverse  implication,  consider  tp  =  (a,  {E,E,R))  in  —  ‘2^^[[c']]. 

Case:  tp  =  (a,  (F’,£',f )) 

Because  and  are  computationally  feasible,  we  can  assume  without 

loss  of  generality  that  E  =  %.  Let  (a,  (0,£'i,  f )), . . . ,  (a,  (0,£'m,  f ))  be  the  (necessar¬ 
ily  finite  number  of)  minimal  a-traces  in  *2^^  [[c']] .  Closure  under  superset  ensures 
that  Ei  E  for  each  i  <  m;  thus  for  each  i  we  can  choose  a  direction  di  ^  Ei  —  E. 

Let  xi,. ..  ,Xn  be  the  free  identifiers  of  c,  and  let  hi, ...  ,hk  be  the  channel  names 
appearing  in  c.  We  let  x, y, flag, step,  vi, . . . ,  v„  be  fresh  identifiers,  and  we  define 
guards  gi  (for  each  i  <  m)  so  that  each  guard  gi  “matches”  the  direction  df.  gi  =  h\0 
when  di  =  hi,  and  gi  =  hlx  when  di  =  h\.  We  also  define  a  command  Matchy  ,(a) 
inductively  as  follows: 

Matchy^i((5,8,5'))  =  step:=/ 

Matchy  i((5,fi!n,5))  =  hly  step:=/ 

Matchy^i((5,/i?n,5))  =  h\n  step:=/ 

Matchy,i(o(3)  =  Matchy,i(a);Matchy,i+i((3). 

Intuitively,  the  command  Matchy  i(a)  can  synchronize  with  the  trace  a,  keeping 
track  of  the  number  of  steps  performed  along  the  way. 

We  now  let  P[— ]  be  the  following  context: 

while  true  do 

(vi:=xi;v2:=X2;-  •  •  ;v„:=x„; 

([-]  II  Matchyp(a)); 
xi:=vi;x2:=V2;-  •  •  ;x„:=v„) 
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Because  cp  never  enables  synchronization  with  any  of  the  guards  gi,  fAf[lP[c]]]  has 
a  behavior  that  corresponds  to  the  infinite  iteration  of  a  in  which  the  variable  flag 
is  never  set  to  1.  In  contrast,  every  computation  of  P[c']  that  iterates  a  infinitely 
many  times  must  enable  synchronization  infinitely  often  with  at  least  one  guard  g,; 
consequently,  any  behavior  in  corresponding  to  the  infinite  iteration  of  a 

must  eventually  set  flag  to  1. 

Case:  cp  =  (a,  (F,£',p)) 

Without  loss  of  generality,  we  can  assume  that  F  =  E.  We  let  x,  y,  flag,  step  be  fresh 
identifiers,  and  we  let  /zi , . . .  ,hi^he  the  channel  names  appearing  in  c.  We  let  a  be  a 
fresh  channel  name  not  appearing  in  c  or  c'. 

Let  (a,  (£’i,£’i,p)), . . . ,  (a,  {Em,Em,'p))  be  the  finite  number  of  minimal  partial  a- 
traces  in  [[c']] ,  and  let  Z  =  |J^ i  Ei.  Closure  under  union  ensures  that  (a,  (Z,  Z,  p) ) 
is  in  by  convex  closure,  it  must  be  that  (for  each  i  <  m)  E  E  C  Z). 

Therefore,  either  F  ^  Z  or  for  each  i,  Ei^^E. 

If  E  ‘^Z,  then  there  exists  a  direction  d  &  E  —  Z.  Let  g  be  a  matching  guard  for  d  if 
d  7^  8,  and  let  P[— ]  be  the  following  context: 

([-]  |]  Matchx,i(a);flag:=l;g^flag:=2)\di\---\%. 

(When  d  =  8,  replace  the  code  fragment  “g  ^  flag:=2”  by  “flag:=2”.)  fW[[P[c]]] 
has  a  behavior  that  begins  with  a  correspondence  to  a,  followed  by  flag  being  set 
to  1  and  then,  exactly  two  steps  later,  being  set  to  2.  In  contrast,  iW^[[P[c']]]  has  no 
such  behavior. 

If  each  Ei  ^  E,  then  for  each  i  choose  a  direction  di  e  Ei  —  E.  Let  g,-  be  a  matching 
guard  for  d,  whenever  d,-  ^  8,  and  let  g,-  be  the  guard  a!0  when  d,-  =  8.  Let  P[— ]  be 
the  following  context: 


([-]  |]  Matchx,i(a);y:=0;J2g,'^flag:=l)\di\---\dfe\a. 

/=1 

fAf[[P[c]I]  has  a  deadlocked  behavior  corresponding  to  a  in  which  the  final  step 
involves  setting  y  to  0.  In  contrast,  every  deadlocked  behavior  in  fAf[[P[c']]]  corre¬ 
sponding  to  a  must  take  at  least  one  step  after  setting  y  to  0. 

Case:  cp  =  (a,  (P,^,  i)) 

Without  loss  of  generality,  assume  that  cp  is  minimal  in  We  let  x,  y,  fl,  f2, 

synch,  value,  comm,  and  count  be  fresh  identifiers,  di, . . . ,  be  the  channel  names 
appearing  in  c,  and  a  be  a  fresh  channel  name  not  appearing  in  c  or  c'. 

Let  tpi  =  (a,  (Pi,Pi,  i)), . . .  ,(Pm  =  (a,  {Em,Em,  i))  be  the  minimal  a-traces  in 
By  Lemma  4.4.5,  there  is  a  conflict-free  resolution  IR  of  for  cp.  Define  sets 
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count:=count  +  l;synch:=l; 
while  true  do 

Pick_lnt(comm); 

Pick_lnt(value); 

case  (comm  mod  {2k -\- 1))  of 

1:  synch:=0;  ((/?i!value  ^  synch:=l)  □  Ylg(zQ{g  fl:=l)) 

2:  synch:=0;  ((/?i?value  ^  synch:=l)  □  ^ 

2k—  1:  synch:=0;  ((/r^lvalue  ^  synch:=l)  □  ^ 

2k:  synch:=0;  ((/ryt?value  ^  synch:=l)  □  Zgecis  ^ 

0:  synch:=0;  (((a?value  ^  synch:=l)  □  ^  fl:=l))  |ia!0)\a 

endcase; 

count:=count  + 1. 

Figure  4.1:  The  program  Guess{H,  Gx,fl). 

A  =  {d,  I  1  <  /  <  m  &  IR(cp,)  =  {di,  F)  }  and  T  =  {d,-  |  1  <  /  <  m  &  IR(cp,)  =  (d,,  E) }; 
because  31  is  conflict-free,  it  follows  that  -'match(A,  T). 

Define  sets  Gx  =  {h\0  \  hi  e  A}  U  {d?x  |  h\  e  A}  and  Gy  =  {d!0  |  d?  e  7}  U  {d?y  | 
d!  e  7}  so  that  each  direction  in  A  has  a  matching  guard  in  Gx  and  each  direction 
in  7  has  a  matching  guard  in  Gy.  Let  Guess{H,  Gx,fl)  abbreviate  the  command  in 
Figure  4.1,  with  the  case  construct  used  as  syntactic  sugar  for  the  corresponding  se¬ 
ries  of  nested  if-statements.  Intuitively,  the  program  Guess{H,  Gx,fl)  can  synchro¬ 
nize  with  any  computation  of  any  program  that  uses  only  the  channels  di, . . .  ,hi^ 
for  visible  communication.  For  each  synchronization,  Guess(//,  Gx,fl)  “guesses” 
the  particular  communication  necessary  for  synchronization^.  Moreover,  in  any 
infinite  computation  of  Guess(//,Gx,fl),  the  directions  associated  with  the  guards 
in  Gx  are  enabled  infinitely  often.  Consequently,  if  the  program  in  parallel  with 
Guess{H,  Gx,fl)  treats  any  of  the  directions  in  A  unfairly,  the  flag  fl  will  necessar¬ 
ily  be  set  to  1  eventually. 

Let  F[— ]  be  the  following  context: 

(H  |]  Guess(//,Gx,fl)  II  £  g^f2:=l)\di\---\/*fc. 

geGy 

[[P[c]I]  has  a  behavior  corresponding  to  a  in  which  neither  fl  nor  f2  is  ever  set  to 
1.  In  contrast,  every  behavior  of  fAf[[P[c']]]  corresponding  to  a  must  eventually  set 
at  least  one  of  the  flags  fl  and  f2  to  1 .  ■ 

^The  case  where  comm  mod  {2k  +  1)  =  0  is  necessary  when  a  involves  only  finitely  many  visible  communi¬ 
cations  (e.g.,  (s,e,s)“). 
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Cl  C2 

C2  Cl 

(C1||C2)  II  C3 

= 

Cl  II  (C2IIC3) 

(Ci||c2)\/l 

= 

Cl  1  (c2\/i),  provided  ^  fc[[ci]] 

c\h 

= 

c,  provided  h  ^  fc[[c]] 

(a!0^  b!0)  □  (b!0^a!0) 

= 

a!0  11  b!0 

(if  b  then  ci  else  C2);c 

= 

if  b  then  ci;c  else  C2\c 

(if  b  then  ci  else  C2)  c 

if  then  (ci  c)  else  (c2  c) 

(if  b  then  ci  else  C2)  (skip;c) 

= 

if  then  (ci  |  skip;c)  else  (c2  |  skip;c) 

Figure  4.2:  Some  program  equivalences  validated  by  ‘2^’*'. 


This  full  abstraction  result  show  that  *2^^  provides  precisely  the  correct  level  of  abstraction 
to  support  compositional  reasoning  about  the  program  behavior  M.  As  a  consequence,  the 
semantics  *2^^  validates  several  natural  program  (in)equivalences  (with  respect  to  9v[)  that  hold 
under  strong  fairness.  Figure  4.2  lists  several  of  these  properties,  where  we  write  c  =  c'  to 
indicate  that  ‘2^^[[c]]  =  ‘2^^[[c']].  Many  of  these  properties  appear  obvious,  but  proving  them 
using  purely  operational  methods  is  very  difficult.  Moreover,  “obvious”  properties  may  not 
hold  under  certain  notions  of  fairness;  for  example,  the  equivalence 

(a!0  ^  b!0)  □  (b!0  ^  a!0)  =  a!0  ||  b!0 
does  not  hold  under  weak  fairness,  as  we  shall  see  in  Chapter  6. 


4.5  Other  Notions  of  Program  Behavior 

The  state  trace  behavior  introduced  in  Definition  4.1.1  incorporates  the  assumptions  that 
external  communication  is  prohibited,  that  every  state  change  can  be  detected,  and  that  dead¬ 
lock  can  be  distinguished  from  successful  termination  and  infinite  chattering.  In  this  section, 
we  consider  several  other  notions  of  behavior  that  relax  one  or  more  of  these  assumptions,  in 
each  case  showing  how  the  semantics  can  be  adapted  to  yield  full  abstraction.  The  changes  to 
the  semantics  primarily  affect  the  simple  trace  components  of  the  fair  traces.  The  underlying 
notion  of  parameterized  strong  fairness,  and  thus  the  extra  contextual  information  necessary  to 
incorporate  fairness  assumptions,  remain  the  same. 

The  ease  with  which  the  semantics  can  be  modified  to  yield  full  abstraction  for  these  other 
notions  of  behavior  reflects  the  robustness  of  the  framework.  In  particular,  the  notion  of  com¬ 
putational  feasibility  and  the  related  definitions  and  lemmas  of  Section  4.4  are  independent  of 
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the  structure  of  simple  traces  and  can  be  revised  for  other  types  of  simple  traces  effortlessly. 
As  a  result,  the  proofs  of  full  abstraction  for  the  behaviors  in  this  section  all  follow  the  proof 
of  Proposition  4.4.6  very  closely. 

4.5.1  Simple  trace  behavior 

The  state  trace  behavior  M  adopts  a  view  of  programs  as  closed  systems  that  cannot  com¬ 
municate  with  the  external  world.  According  to  this  view,  all  communication  is  internal  and 
synchronous;  an  observer  cannot  possibly  detect  visible  (i.e.,  external)  communications,  be¬ 
cause  such  communications  are  not  possible  in  a  closed  system.  However,  it  is  reasonable 
to  relax  this  assumption  and  to  assume  instead  that  an  open  system’s  interactions  with  its  en¬ 
vironment  are  observable.  Moreover,  to  reason  about  the  possible  interactions  a  command 
may  have  with  its  environment,  it  is  essential  to  assume  that  these  communications  can  be  ob¬ 
served.  If  we  adopt  this  view,  then  it  is  natural  to  consider  the  simple  trace  behavior  function 
5  :  Com  ^  U  Z*5)  defined  by: 

5[Ic]]  =  {trace(p)  I  p  =  (c,5o)  ^  (ci,5i)  ^  ^  (cfc,5^)term} 

U  {trace(p)5  |  p  =  (c,5o)  ^  (ci,5i)  ^  ^  {ck,Sk)dieadi} 

U  {trace(p)  |  p  =  (c,  5o)  ^  ^  {ck, Sk)  -  is  fair}. 

This  behavior  S  again  incorporates  the  assumption  that  deadlock  can  be  distinguished  from 
both  successful  termination  and  infinite  chattering,  and  that  every  single  transition  can  be  de¬ 
tected. 

The  behavior  S  clearly  includes  more  information  about  a  command’s  possible  computa¬ 
tions  than  does:  for  any  command  c,  the  set  ^Jc]]  is  a  superset  of  However,  as  the 

following  full  abstraction  result  attests,  the  two  behaviors  induce  exactly  the  same  notion  of 
contextual  equivalence:  two  programs  exhibit  the  same  fM  behaviors  in  all  program  contexts 
if  and  only  if  they  exhibit  the  same  S  behaviors  in  all  program  contexts.  The  reason  for  this 
apparent  contradiction  is  that  both  behaviors  require  the  same  support  for  compositional  rea¬ 
soning:  to  reason  compositionally  about  8-steps  along  a  computation  of  a  parallel  command, 
we  need  to  know  the  communications  that  are  possible  for  individual  components. 

Proposition  4.5.1  The  closed  trace  semantics  T'i  is  inequationally  fully  abstract  with  respect 
to  S:  for  all  commands  c  and  c', 

T/Wct/M  VP[-].5lP[c]lC5lP[c']]]. 

Proof:  The  forward  implication  follows  from  the  compositionality  of  *2^^,  the  monotonicity 
of  operations  on  trace  sets,  and  the  fact  that,  for  all  commands  c,  5[Ic]]  can  be  extracted 
from  %^lc\ 
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For  the  reverse  implication,  assume  By  Proposition  4.4.6,  there  exists 

a  context  P[— ]  and  a  behavior  (3  that  is  in  f3f[[P[c]]]  —  f3f[[P[c']]].  Because 

=  {P  e  I  chans(p)  =  {e}} 

(and  likewise  for  £W[[P[c']]]),  P  must  also  be  in  5[lP[c]]]  —  5[[P[c']]].  ■ 

4.5.2  Stuttering  and  mumbling 

The  behaviors  ‘M  and  S  both  assume  an  “omniscient”  observer  capable  of  detecting  every  state 
change  made  during  a  computation.  This  assumption  corresponds  to  the  use  of  next-time  oper¬ 
ators  in  various  temporal  logics,  whereby  (for  example)  the  commands  skip  and  skip; skip  can 
be  distinguished.  In  many  cases,  however,  an  observer  cannot  be  guaranteed  to  detect  each  and 
every  state  change.  Moreover,  the  concept  of  “next  state”  can  be  ill-defined,  because  states  in 
the  operational  semantics  do  not  always  correspond  to  processor  states  in  a  meaningful  way. 
For  example,  suppose  a  program  is  distributed  across  multiple  machines  with  different  clock 
speeds.  Even  if  an  observer  can  look  at  any  (or  all)  of  the  machines  at  any  time  instant,  it 
is  unclear  which  intervals  between  those  instants  correspond  to  transitions  in  the  operational 
semantics.  When  a  process  on  a  (relatively)  fast  processor  can  perform  internal  actions,  each 
clock  tick  may  indicate  a  transition;  when  that  same  process  is  waiting  to  synchronize  with  a 
slower  process,  intermediate  clock  ticks  may  not  correspond  to  transitions  in  any  meaningful 
way.  As  a  result,  it  is  often  appropriate  to  assume  only  that  an  observer  is  capable  of  seeing 
some  subsequence  of  the  states  encountered  during  a  computation.  In  doing  so,  we  obtain  no¬ 
tions  of  behavior  based  on  the  reflexive,  transitive  closures  of  the  one-step  transition  relations. 

We  first  introduce  generalized  relations  =>  (X  e  A),  where  =>  is  the  reflexive,  transitive 
closure  of  — and  =>  (for  X  8)  is  defined  so  that  (c,  s)  =>  (c',  s')  if  and  only  if  there  exist 

ci,C2,si,S2  for  which  {c,s)  (ciji'i)  (czAz)  =>  Based  on  these  generalized 

relations,  we  define  the  generalized  state  transition  trace  behavior  :  Com  ^  CP(5°°  U  5*5) 
and  the  generalized  simple  trace  behavior  A*  :  Com  ^  CP(5°°  U  5*5)  as  follows: 

£^4^]]  =  {50^1  I  (c,5o)  ^  (ci,5i)  ^  ^  (cfc,5fe)term} 

U  {5051  •• -5/^5  I  (coAo)  ^  (ci,5i)  ^  ^  (cfc,54dead} 

U  {sosi...Sk...  I  (co,5o)  ^  ^  {ck,Sk)  ^  is  fair}, 

544  =  {trace(p)  I  p  =  (c,5o)  ^  (ci,5i)  ^  ^  (c^,54term} 

U  {trace(p)5  |  p  =  (c,5o)  ^  (ci,5i)  ^  ^  (cfe,5fe)dead} 

U  {trace(p)  |  p  =  (c,5o)  ^  ^  {ck,Sk)  ^  is  fair}. 
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X 

To  account  properly  for  the  reflexivity  and  transitivity  of  the  relations  =>,  we  need  to 

impose  closure  conditions  on  trace  sets  corresponding  to  “stuttering”  and  “mumbling”  [Lam83, 

£ 

Bro96b] .  Stuttering  captures  the  reflexivity  of  =>  and  has  the  effect  of  introducing  idle  steps 
into  traces.  A  trace  of  form  (a(3, 0)  stutters  to  the  trace  (a(5,8,5)(3, 0)  when  5  is  the  final  state 
of  a  and  the  initial  state  of  (3.  Each  partial  trace  of  form  (a,  {F,E,  p))  also  stutters  to  the  trace 
(a,  ({e},  {8},p)).  Such  stuttering  steps  introduce  the  relevant  partial  traces  for  every  possible 
idle-step  introduction:  the  fairness  and  enabling  sets  {8}  reflect  the  possibility  of  an  idle  step 
immediately  following  a. 

X 

Mumbling  has  the  effect  of  absorbing  8-steps,  just  as  the  =>  relations  absorb  8-transitions. 
A  trace  with  form  (a(5,8,5')(5',X,5")(3,0)  or  (a(5,?i,5')(5',8,5'")(3, 0)  mumbles  to  the  trace 
(a(5,X,5")|3,0).  Each  partial  trace  {a{s,e,/),{F,E,p))  also  mumbles  to  the  partial  trace 
(a,  {F  U  {8},£’  U  {8},p)).  Such  mumbling  steps  capture  the  intuition  that,  if  a  represents  a 
transition  sequence  ending  in  configuration  {c,s),  then  each  direction  in  E  U  {8}  represents 
X 

some  =>-transition  possible  from  the  configuration  (c,  s). 

We  summarize  these  stuttering  and  mumbling  sets  by  the  relations  stut  C  x  and  mumb  C 
X  defined  as  follows: 

stut  =  {((a8^(3,0),  (a(j',8,  j'jPjfi))  I  a|3  e  —  E®  &  5  e  S} 
u  {((a,  (E,E,p)),  (a,  ({8},  {8},p)))  |  a  e  r  }, 
mumb  =  {((a(5,8,/)(/,X,/^)(3,0),  (a(5,?i, 5^^)(3,0))  |  a(5,?i, e 
u  {((a(5,X,5')(5',8,5")(3,0),  (a(5,?i,5")(3,0))  I  a(5,?i,5")|3  e 

U  {((a(5,8,/),(E,E,p)),(a,(EU{8},EU{8},p)))  |  a(5,8,5')  eZ*}. 

Intuitively,  the  pair  (91,92)  is  in  stut  if  92  can  be  obtained  from  91  by  inserting  an  extra  idle 
step.  Similarly,  the  pair  (91,92)  is  in  mumb  if  92  can  be  obtained  from  91  by  absorbing  an 
8- step. 

Eetting  id  =  {(a,a)  |  a  e  be  the  identity  relation  on  simple  traces,  we  follow  the 
approach  of  [Bro96a]  and  define  stuf’  and  mumb°°  to  be  the  (respective)  greatest  fixed  points 
of  the  functionals 

F  {R)  =  stut  •  RVMd,  G{R)  =  mumb  •  R  U  id. 

That  is,  we  define 

stut°°  =  stuf  •  id  U  stut^,  mumb’^  =  mumb*  •  id  U  mumb^, 

with  the  concatenation  operator  (•)  and  the  iterative  operators  (— *  and  —  “)  extended  to  sets  of 
pairs  of  traces.  Intuitively,  the  pair  (9, 9')  is  in  stut°°  (respectively,  mumb°°)  if  9'  can  be  ob¬ 
tained  by  inserting  an  idle  step  (respectively,  eliding  an  8-step)  at  some  of  the  positions  along 
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(p’s  simple-trace  component.  In  particular,  when  cp  is  an  infinite  trace,  the  stuttering  and  mum¬ 
bling  operations  can  be  applied  at  potentially  infinitely  many  places  along  cp  but  not  infinitely 
many  times  at  any  particular  place  along  cp.  This  point  is  essential  for  avoiding  the  accidental 
introduction  of  divergence:  stuttering  should  not  transform  the  finite  trace  ((5,8, 5),  (0,0,f)) 
into  the  infinite  trace  ((5,8,5)“,  (0,0,  i)). 

With  these  definitions  in  hand,  we  define  closure  under  stuttering  and  mumbling  on  trace 
sets  in  the  following  way. 

Definition  4.5.2  Given  a  trace  set  T ,  T*  is  the  smallest  set  containing  T  and  closed  under 
stuttering  and  mumbling: 

•  If  cp  is  in  r*  and  (cp,  cp')  e  stuf’,  then  cp'  is  also  in  T*. 

•  If  cp  is  in  r*  and  (cp,  cp')  e  mumb°°,  then  cp'  is  also  in  T*.  o 

These  closure  conditions  can  be  combined  with  the  conditions  introduced  in  Definition  4.2. 1 . 
For  a  trace  set  T,  we  define  tJ  =  {T^  Y,  so  that  is  closed  under  stuttering  and  mumbling,  as 
well  as  superset,  union,  convexity,  displacement  and  contention. 

We  let  CPI^>  be  the  set  of  closed  sets  of  traces.  Much  as  before,  we  can  define  a  denotational 

semantic  function  %l  :  Com  ^  CPI^>  such  that,  for  all  commands  c,  ‘2(*[Ic]]  =  (‘2([[c]])t  The 

addition  of  the  stuttering  and  mumbling  closure  conditions  is  sufficient  to  yield  full  abstraction 
with  respect  to  the  generalized  behaviors  and  S*,  as  shown  by  the  following  results. 

Proposition  4.5.3  The  semantics  %\  is  inequationally  fully  abstract  with  respect  to  for 
all  commands  c  and  c', 

T.Iw  C  vp[-].rM;ip[c]]]  C  M.W]1 

Proof:  (Sketch)  The  forward  implication  follows  from  the  compositionality  of  *2^*,  the  mono¬ 
tonicity  of  operations  on  trace  sets,  and  the  fact  that,  for  all  commands  c,  iWi=[[c]]  can  be 
extracted  from  [[c]] . 

The  reverse  implication  follows  from  a  case  analysis  similar  to  that  used  in  the  proof  of 
Proposition  4.4.6.  In  fact,  the  cases  for  finite  and  infinite  traces  are  exactly  the  same;  the 
case  for  partial  traces  needs  to  be  modified  only  slightly,  as  follows. 

Suppose  the  partial  trace  cp  =  (a,  (F’,£’,p))  is  in  and  without  loss  of 

generality  assume  that  F  =  E.  Let  fii , . . . ,  be  the  channel  names  appearing  in  c,  and 
let  X  and  flag  be  fresh  identifiers,  not  appearing  in  c  or  c'. 

Let  (a,  (£1 ,  £1 ,  p) ),...,  (a,  {Em,  p) )  be  the  finite  number  of  minimal  partial  a-traces 
in  and  let  Z  =  Et.  Closure  of  under  union  and  convexity  again 

ensures  that  either  E  ‘f.Z  or,  for  each  i  <  m,  Ei  E. 
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When  E  Z,  the  distinguishing  context  is  identical  to  that  used  in  the  proof  of  Proposi¬ 
tion  4.4.6.  If  (instead)  each  Ei  ^  E,  then  for  each  i  choose  a  direction  di  ^  Ei  —  E  such 
that  (when  possible)  di  ^  8.  Let  gi  be  a  matching  guard  for  di  whenever  di  ^  8,  and  define 
the  set  G  =  {d;  I  d;  7^  8  &  1  <  /  <  m}.  Let  P[—]  be  the  following  context: 

([-]  II  Matchx,i(a);y:=0;  J2g^flag:=l)\fii\---\fi^. 

g€G 

The  only  difference  between  this  distinguishing  context  and  the  one  used  for  the  same 
case  in  the  proof  of  Proposition  4.4.6  is  that  we  do  not  include  an  arbitrary  guard  a!0  for 
chosen  directions  di  =  8.  The  cases  where  di  =  8  can  be  ignored,  because  such  steps  are 
either  idle  steps  (in  which  case  some  other  chosen  dj  is  appropriate),  steps  in  which  the 
state  changes  (and  are  therefore  noticeable),  or  steps  that  lead  to  divergence. 

fAf*[lP[c]I]  has  a  deadlocked  behavior  corresponding  to  a  in  which  the  value  of  y  in  the 
final  state  is  0  and  c’s  local  portion  of  the  state  looks  like  the  final  state  of  a.  In  contrast, 
every  behavior  in  [lP[c^]]]  with  a  prefix  corresponding  to  a  must  do  one  of  the  follow¬ 
ing:  set  the  value  of  flag  to  1;  terminate  or  deadlock  in  a  state  in  which  c’s  local  portion 
is  not  the  same  as  the  final  state  of  a;  or  make  an  infinite  number  of  8-transitions.  ■ 

Proposition  4.5.4  The  semantics  %\  is  inequationally  fully  abstract  with  respect  to  S*-'  for  all 
commands  c  and  c' , 

Proof:  By  obvious  analogy  with  the  proof  of  Proposition  4.5.1 .  ■ 

4.5.3  Busy  waiting 

The  behaviors  9vi  and  S  (as  well  as  their  generalized  forms  and  S*)  assume  that  deadlock 
can  be  distinguished  from  both  successful  termination  and  infinite  chattering.  The  semantics 
and  %l  are  well-suited  to  this  assumption,  using  different  forms  of  traces  to  represent 
successfully  terminating,  infinite  and  deadlocked  computations.  From  an  implementation  point 
of  view,  however,  deadlock  and  blocking  often  appear  in  the  guise  of  busy-waiting.  Because  a 
scheduler  cannot  always  detect  a  priori  whether  a  process  has  become  blocked,  it  may  continue 
to  allocate  processor  cycles  to  a  process  that  has  no  transitions  enabled.  This  view  of  the  world 
can  be  captured  by  the  following  busy-waiting  trace  behavior  W  :  Com  ^  CP(5°°),  in  which 
deadlock  is  modeled  as  busy-waiting: 

=  {soSi...Sk\  {c,so)  ^  {ci,si)  ^  ^  {ck,Sk)term} 

U  {soSi...Skisk)^  I  (co,5o)  ^  (cb^i)  (cfe,5^)dead} 

U  {5051  •  •  •  5/fc  •  •  •  I  (co, 5o)  ^  ^  (Ck, 5fc)  ^  •  is  Strongly  fair}. 
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This  behavior  does  not  distinguish  between  deadlock  and  infinite  idle  chattering.  Thus,  for 
example,  ‘7T’[[a!0\a]]  =  ‘7T’[[while  true  do  skip]]  =  {5“  |  s  E  S}. 

To  reason  compositionally  about  W,  we  introduce  a  semantics  that  is  related  to  %l  but 
that  represents  blocked  computations  by  infinite  traces.  Intuitively,  a  partial  computation  that 
becomes  blocked  mod  F  in  a  configuration  (c,  s)  can  be  represented  by  the  fair  trace 


where  a  is  the  finite  trace  corresponding  to  the  transitions  made  before  the  computation  became 
blocked  and  E  C  F  is  the  set  of  directions  on  which  c  was  trying  to  communicate.  Intuitively, 
a  computation  that  is  blocked  mod  E  is  fair  mod  E  (and  fair  mod  F  ^  E),  and  the  infinitely 
enabled  directions  are  the  elements  of  E. 

Employing  the  closure  operators  defined  in  Definitions  4.5.2  and  4.2.1  (and  ignoring  the 
conditions  for  partial  traces),  we  introduce  closure  into  our  semantics  from  the  beginning.  We 
can  give  an  operational  characterization  of  the  trace  semantics  %b  :  Com  ^  IPl(d>)  as  follows: 


%bM  =  ({(t''ace(p),(E,en(p),f))  | 

P  =  (c,5o)  ^  ^  • 

U{(trace(p)(5^,8,5,t)“,(^,£,i))  \  F^E  = 

P  =  (c,5o)  ^  ^  • 

U{(trace(p),(E,en(p),i))  | 

p  =  (c,5o)  ^  ^  • 


••  (cyt+i,5/t+i)ternn  is  fair  mod  E} 
inits(c/t,5/t)  &  8  ^  & 

^  {ck,Sk)  &  ^(c^,5,t)term} 


•  •  •  is  strongly  fair  mod  E})  J. 


The  denotational  characterization  of  Est,  is  very  similar  to  the  denotational  characterization 
of  Es  and  Ej^ .  Once  again  we  define  operations  on  trace  sets  corresponding  to  each  of  the 
constructs  of  the  language.  In  general,  the  operations  on  trace  sets  remain  the  same;  the  clauses 
for  traces  with  form  (a,  {F,E,Tp))  are  simply  ignored.  However,  the  definition  of  the  guarded- 
choice  operator  on  trace  sets  depends  critically  on  partial  traces  with  form  (8^,  (E,£’,p))  for 
generating  the  correct  enabling  information  for  finite  traces.  We  therefore  need  to  adapt  the 
definition  to  use  infinite  traces  instead  of  partial  traces. 

We  first  introduce  a  predicate  idle  on  simple  traces,  such  that  idle(a)  is  true  whenever  a  has 
the  form  (5, 8, 5)“  for  some  state  5.  Because  the  first  true  step  of  any  computation  of  a  guarded 
command  necessarily  involves  a  non-8  transition,  every  idle  trace  a  necessarily  represents  a 
partial  computation  “stuck”  in  the  initial  state.  Consequently,  we  can  always  determine  which 
actions  are  possible  for  a  given  component  by  examining  those  directions  enabled  infinitely 
often  along  an  idle  trace  originating  in  the  appropriate  state.  By  replacing  each  mention  of  the 
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partial  trace  {es,{F,E,Tp))  in  the  original  definition  by  the  infinite  traee  {{s,e,s)^,{F,E,i)),we 
define  the  new  guarded-choiee  operator  as  follows: 

TiDT2  =  {(a,  {F,E,  i))  e  Ti  U  r2  I  a  e  &  ^idle(a)} 

U{(a,  (FiUF2,£’i  U£'2,i))  |  (cx,  (Fi,^!,!))  e  Fi  &  (a,  (F2,  ,£2,  i))  e  r2  &  idle(a)} 
U{(a,  (Fi,FiUF2,f))  I  (8^a,(Fi,Fi,f))  e  Fi  &  ((5,8,5)“,  (F2,F2,i))  e  F2} 

U{(a,  (F2,FiUF2,f))  I  (8^a,(F2,F2,f))  e  F2  &  ((5,8,5)“,  (Fi,Fi,i))  e  Fi}. 

The  altered  definition  of  the  guarded-choice  operator  represents  the  only  necessary  change 
to  the  operations  on  trace  sets.  The  traee  semantics  %b  :  Com  ^  IPl(d>)  therefore  can  be 

defined  in  its  entirety  as  follows.  Note  that  the  partial  traces  for  skip,  assignment,  and  guards 

are  now  represented  by  infinite,  idle  traees. 

Definition  4.5.5  The  trace  semantic  function  %b  •  Com  ^  CPl(d>)  is  defined  by: 

T;4[skip]]  =  {((5,8,5),  (F,0,f))  I  5  e  5  &  F  e  yfin(A)}{ 

%bli:=e]\  =  {((5,8,  [5|/  =  n]),(F,0,f))  | 

fv[[/:=e]]  C  dom(5)  &  F  e  Tfin(A)  &  {s,n)  e  E[[e}}l 
%blci;c2}  =  {%blcif,%b[[c2]\)l 
%b^i^  b  then  n  else  C2I]  =  {Esblbf,%b]lcil  U  %bl-^bf,%b¥^2})l 

F,4[while  b  do  c]]  =  ((F,4^]];F,4c]])“U  (F,4Z7]];T;fcH)*;F,4hZ7j){ 

=  {{{s,hln,  [5|/  =  n]),  (F,  {fi?},  f ))  |  /  G  dom(5)  &  n  E  &  F  E  CPfin(A)} 
U  {((5,8,5)“,  (F,{fi?},i))  I  i  E  dom(5)  &  F  D  {fi?}}I 
E,b^h\el  =  {((5,fi!n,5),(F,{fi!},f))  |  (5,n)  G  Fje]]  &  F  G  Tfin(A)}{ 

U  {((5,8,5)“,  (F,{fi!},i))  I  fvje]]  C  dom(5)  &  F  D  {fi!}}* 

%bh^4  =  {%bM;%bM)l 

EsblgCingC2'^  =  {%blgCi]]n%blgC2]])l 
%b[[ci\\c2^  =  {%bM\\%bM)l 
%b[[c\h]]  =  (F,,[c]]\fi)I. 


o 

Proposition  4.5.6  The  semantics  %b  is  inequationally  fully  abstract  with  respect  to  W:  for 
all  commands  c  and  c', 


EsbM  c  %blci  ^  yp[-].wip[c]}  c  wip[c']]]. 
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Proof:  The  forward  implication  follows  from  the  compositionality  of  %b,  the  monotonicity  of 
operations  on  trace  sets,  and  the  fact  that,  for  all  commands  c,  ‘W^[[c]]  can  be  extracted 
from  %blcl. 

The  reverse  implication  uses  an  abbreviated  version  of  the  case  analysis  in  the  proof  of 
Proposition  4.4.6.  In  particular,  the  cases  for  finite  and  infinite  traces  remain  the  same, 
and  the  case  for  partial  traces  disappears.  ■ 

4.5.4  Communication  traces 

Each  of  the  behaviors  considered  so  far  incorporates  the  assumption  that  intermediate  states 
encountered  along  a  computation  are  observable.  However,  in  many  cases,  it  is  appropriate  to 
consider  programs  (or  the  processors  on  which  they  run)  as  black  boxes  whose  internal  states 
are  private  and  whose  only  observable  characteristics  are  their  interactions  with  their  environ¬ 
ment.  For  example,  object-oriented  programming  and  abstract  data  types  are  built  on  this  tenet: 
a  program’s  implementation  details  should  be  hidden,  and  only  its  interface  should  be  acces¬ 
sible.  In  this  subsection,  we  consider  a  communication  trace  behavior  that  incorporates  the 
assumption  that  states  are  truly  private  and  that  only  the  sequence  of  visible  communications 
that  occur  along  a  computation  is  observable. 

We  introduce  sets  A*  and  A“  that  correspond  (respectively)  to  finite  and  infinite  sequences 
of  visible  communications.  We  redefine 

A  =  {hln^hln  \  h  G  Chan  &  n  G  Z} 

to  be  the  set  of  “interesting”  communications,  and  we  let  A*  =  {e}  U  A+  be  the  set  of  finite 
communication  sequences.  The  set  of  all  communication  sequences  is 

A°"  =  A*  U  A*{8}“  U  A“. 


Tj 

For  each  communication  sequence  p  G  A°°,  we  define  a  generalized  relation  =>  as  follows: 

•  When  p  is  finite,  (c,  s)  (c',  s')  indicates  that  the  command  c  in  state  s  can  perform  the 
sequence  of  visible  communications  p  (possibly  with  some  intermediate  8  transitions), 

leading  to  the  command  c'  in  state  s'.  When  p  is  the  single  label  X,  ==>  corresponds 

X 

precisely  to  the  definition  of  =>  given  in  Subsection  4.5.2. 

p 

•  When  p  is  infinite,  (c,  s)  =>  indicates  that  there  is  a  strongly  fair  computation  of  the 
command  c,  originating  in  state  s,  with  the  sequence  of  communications  p.  When  p  has 
the  form  a8“,  the  computation  diverges  after  a  with  internal  chattering. 
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Note  that  the  empty  sequence  8  is  distinct  from  the  communication  sequence  8“:  the  former 
represents  a  finite  sequence  (possibly  having  length  zero)  of  internal  actions,  whereas  the  latter 
represents  an  infinite  sequence  of  internal  actions. 

We  can  now  define  the  communication  trace  behavior  C :  Com  ^  CP(A°°  U  A*5)  as  follows: 

C^c]]  =  {ri  I  3s,s',c'.{c,s)  ^  (c',5')ternn} 

U  {pd  I  3s,s',c'.{c,s)  (c',/)dead} 

U  {p  I  35. (c,  5)  =>  is  strongly  fair}. 

To  support  compositional  reasoning  about  C,  we  introduce  yet  another  variant  of  the  se¬ 
mantics  that  records  only  the  initial  and  terminal  states  of  computations.  Even  though 
initial  and  finial  states  are  not  observable  in  the  behavior  C,  they  are  necessary  for  determining 
which  traces  can  be  composed  in  a  meaningful  way:  in  particular,  the  traces  cpi  of  ci  and  92  of 
C2  can  be  used  to  generate  a  trace  of  ci ;  C2  only  if  the  computation  represented  by  92  originates 
in  the  final  state  of  the  computation  represented  by  91. 

To  this  end,  we  introduce  a  new  style  of  simple  traces.  For  technical  reasons,  we  need 
two  types  of  finite  traces,  one  to  represent  successful  computations  and  one  to  represent  partial 
computations;  thus  we  define  the  set  of  finite  simple  traces 

Z*  =  (5x  A*  x5)  U  (5x  A*), 

with  traces  (5,p,5')  representing  successful  computations  and  traces  (5,p)  representing  partial 
computations.  Intuitively,  the  need  for  this  distinction  arises  because  we  can  “observe”  the  final 
state  of  a  successful  computation  by  transmitting  the  value  of  the  finite  number  of  variables 
along  some  channel;  in  contrast,  there  is  no  reliable  way  to  interrupt  a  computation  to  observe 
intermediate  states.  Similarly,  because  there  is  no  final  state  of  an  infinite  computation,  the  set 
of  infinite  simple  traces  is 

Z“  =  S  X  A“. 

We  then  let  =  Z*  U  Z“  be  the  set  of  all  finite  and  infinite  traces,  and — using  the  same 
contextual  information  as  before — we  define  the  set  of  fair  communication  traces  by 

=  z:  X  (Tfin(A)  X  Tfin(A)  X  (f }) 

U  Z“x(Tfi„(A)xTfin(A)x{i}) 

U  z:x(Tfin(A+)xTfin(A+)x{p}). 

We  now  introduce  a  trace  semantic  function  %c  :  Com  ^  characterized  opera¬ 

tionally  as  follows: 

%cM  =  {((5,ri,5')>(F,en(p),f))  I  p=  (c,5)  ^  (c',5')termisfairmodF} 

U  {((5,ri),  (F,£',p))  I  p  =  {c,s)  {c',s')  &  -'(c',5')term  &  F  ^  E  =  inits(c',5')} 

U  {((5,ri), (F,en(p), i))  I  p  =  (c,5)  isfairmodF). 
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As  before,  two  simple  traces  a  and  |3  are  composable  whenever  a  is  an  infinite  or  partial 
trace,  or  when  the  initial  state  of  |3  is  the  final  state  of  a.  When  a  and  |3  are  composable,  their 
concatenation  a(3  is  defined  as  follows: 

r(5,ri)  ifa=(5,ri) 

a(3  =  <  (5,riiri2A0;  if  oc  =  (5,rii,5")  &  (3  =  (5",ri2A0’ fo^'^ome  5"  e  5, 
[(5,Tiiri2),  if  a  =  (5,rii,5")  &  (3  =  (5",ri2),  for  some  5"  e  5. 

In  turn,  two  fair  traces  cpi  and  92  are  composable  whenever  their  simple  trace  components 
are  composable.  When  cpi  =  (a,  {Fi,Ei,Ri))  and  92  =  ((3,  {F2,E2,R2))  are  composable,  their 
concatenation  (pi(p2  is  defined  by: 

r(a,(Fi,£i,7?i)),  ifi?ie{i,p}, 

(pi92=  <  (a|3,  (F2,£’iU£'2,f)),  ifi?i  =i?2  =  f, 

[(a|3,  (F2,£’2,^2)),  if^i  =f  andi?2e  {i,p}. 

This  definition  looks  exactly  the  same  as  the  definition  for  concatenation  given  in  Section  3.3; 
the  only  difference  is  the  interpretation  of  the  simple-trace  concatenation  a(3.  We  then  define 
Ti-,T2  =  {cpicp2  I  cpi  e  Ti  &  (p2  e  r2  &  composable{<pi,(p2)}-  We  also  define  infinite  concatena¬ 
tion  as  before,  with  the  obvious  new  interpretation  of  infinite  concatenation  on  simple  traces. 

The  definition  of  guarded  choice  on  trace  sets  is  very  similar  to  the  original  definition 
presented  in  Section  3.3,  the  only  modification  in  the  structure  of  partial  traces: 

Ti  □r2  =  {(a,  {F,E,  i))  e  Ti  u  r2 1  a  e 

u{((5,'n),(F,£,p))  e  riur2  Ip  ^8} 

u{((5,e),(FiUT2,£iU£'2,p))  I  ((5,8),(Fi,£i,p))  e  Ti  &  ((5,8),  (^2,^2,?))  e  r2} 
u{((5,PA')>(^b^iU£'2,f))  I  ((5,p,5')>(^b^i>f))  e  Ti  &  ((5,8),(T2,£'2,p))  e  r2} 
U{((5,PA')>(^2,£lU£2,f))  I  ((5,P,5')>(^2,£2,f))  eT2&  ((5,  8) ,  (Fi,  £l ,  p))  G  Ti}. 

The  definition  for  channel  restriction  is  identical  to  that  in  Section  3.3,  with  the  obvious 
change  in  interpretation  for  simple  traces  a.  We  need  to  introduce  new  definitions  for  parallel 
composition,  but  the  definitions  are  natural  simplifications  of  those  introduced  before. 

We  define  the  interleaving  of  two  disjoint,  finite  simple  traces  ( ,  p  i ,  )  and  (52,  P25  ■^2) 

(^b'niAi)^(52,P2,4)  =  (5lU52,PlP2Aiu4)- 

The  interleaving  of  a  finite  simple  trace  (5i,pi,5j)  with  either  a  partial  or  infinite  simple  trace 
(■^25P2)  is  (respectively)  a  partial  or  infinite  simple  trace,  and  we  define 

(■^bTllAi)iJ('^2,P2)  =  (■S'l  U52,PiP2) 
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when  the  traces  are  disjoint.  Finally,  the  interleaving  of  a  partial  or  infinite  trace  (^bP)  with 
the  empty  and  disjoint  partial  trace  (s,  e)  is  the  infinite  trace  defined  by 

(5i,ri)^(5,8)  =  (5iU5,ri). 

For  context  triples  0i,02  e  F,  the  parallel  operator  0i||02  is  as  defined  in  Section  3.3,  and  for 
fair  traces  cpi  =  (a,  0i)  and  92  =  (P,  02)  we  again  define 

9iij92  =  {(oc]JP,0)  I  0  e  0111021- 

Two  nonempty,  finite  traces  a  =  (5,  Xq  -  -  -  ■^')  and  P  =  (t,juo  ■■■Hm  t')  match  \fk  =  n  and 

match(Xi,/ri)  for  each  i.  For  matching,  disjoint  traces  a  and  P,  a||P  is  the  trace  in  which  a  and 
P  synchronize  at  each  step:  a||P  =  (5Ut,8,5'Ut').  Likewise,  for  fair  traces  cpi  =  (a,0i)  and 

92  =  (P,  (F2,£’2,02)), 

9i||92  =  {(«||P,0)  I  0  e  0111021- 

Using  these  new  interpretations  for  cpijj  92  and  tpi  ||(p2,  we  can  define  the  relation /a/rmergCc  ^ 
X  X  d>c  in  much  the  same  way  as  before.  We  define 

fairmergCc  =  both^  U  both*  -  onec, 

with  the  sets  bothc  and  onec  defined  as  follows: 

bothc  =  {((pi,(p2,9)>(92,9b9)  l9i>92ed)fin&disjoint((pi,(p2)  &9e9iij92} 

U  {(91,92,9)  I  9^92  e  d>fin  &  disjoint((pi,(p2)  &  match (91,92)  &  9  e  91II92}, 
onec  =  {(91,92,9),  (92,91,9)  I 

9i  e  &  92  =  ((5,8,5), 02)  &  disjoint(9i,92)  &  9  G  9iij92}, 

u  {(91,92,9),  (92,91,9)  I 

9i  e  &  92  =  ((5, 8), 02)  &  disjoint(9i,92)  &  9  G  91^92}- 

The  mergeability  criteria  remain  the  same,  and  we  define 

Fi||72  =  {9  I  9i  G  Ti  &  92  G  r2  &  mcrgea We (9 1,92)  &  (91,92,9)  efairmergec}. 

Letting  =  {((5,8,5),  (F,0,f))  |  (5,tt)  G  &  F  e  CPfin(A)},  we  can  characterize 

the  trace  semantics  %c  :  Com  ^  J’(d>c)  denotationally  in  the  following  manner.  With  the  new 
interpretations  for  the  semantic  operators,  the  semantic  clauses  for  %c  look  almost  identical  to 
the  previous  semantics;  the  only  obvious  difference  is  the  absence  of  final  states  for  the  partial 
traces  for  skip,  assignment,  and  guards. 
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Definition  4.5.7  The  trace  semantic  function  %c  :  Com  ^  is  defined  by: 

'r,c[[skip]]  =  {((^,8,^),  (F,0,f))  \seS&Fe  yfin(A)}, 

U{((5,8),(F,{8},p))|5e5&FD{8}} 

%cii'-=e\\  =  {((5,e,  [s\i  =  n]),{F,(l),f  ))  \ 

fv[[/:=e]]  C  dom(5)  &  F  e  J’fin(A)  &  {s,n)  e  “Ede]]} 
U{((5,e),(E,{8},p))  I  fvp:=e]]  C  dom(5)  &  FD  {e}} 

'2;cttci;c2]]  =  'r,,[[ci]];'r,4c2j 

%cl\^  bthen  a  else  C2]]  =  %c[[bf,%clci}U%c[[-^bf,%clc2} 

T^clwhile  b  do  c]]  =  {%clbf,%cMr^  i%clbf,%cMT'^%c^^b'^ 

%c[[hli}  =  {{{s,hln,[s\i  =  n]),{F,{hl},f))  \ 

i  e  dom(5)  Scn^hScF  ^  CPfin(A)} 
U{((5,e),(E,{fi?},p))  I  i  e  dom(5)  &  FD  {hi}} 

%c[[hle}\  =  {{{s,h\n,s),{F,{hl},f  ))  \  {s,n)  e  Fle}\  &  F  e  J’fin(A)} 
U{((5,e),(E,{fi!},p))  I  fv[[e]]  C  dom(5)  &  FD  {h\}  &  } 

%c[[g^4  =  %c[[gf,%eM 

%clgC\  □^C2]]  =  %cl_gCi{n%cl^gC2i 

'2;c[[ci||c2]]  =  'r,,[[ci]]||'2;,,[[c2]] 

%c[[c\h]]  =  %cM\h. 


o 

Not  surprisingly,  the  semantics  %c  is  sound  with  respect  to  the  behavior  C,  but  not  fully 
abstract.  To  achieve  full  abstraction,  we  again  need  to  close  trace  sets  under  the  closure  con¬ 
ditions  introduced  in  Definition  4.2.1.  As  before,  we  can  then  define  a  closed  trace  semantic 
function  %l :  Com  ^  denotationally,  so  that,  for  each  command  c,  ‘2^J[[c]]  = 

The  proof  of  full  abstraction  is  similar  to  the  full  abstraction  proof  in  Section  4.4.  We 
make  the  initial  and  final  states  of  computations  “observable”  by  transmitting  the  value  of  state 
variables  along  a  fresh  channel. 

Proposition  4.5.8  The  closed  trace  semantics  %l  is  ( inequationally)  fully  abstract  with  respect 
to  C:  for  all  commands  c  and  c', 

C  TiM  VP[-].ClP[c]]]  C  ClP[c']]]. 

Proof:  (Sketch)  As  in  the  previous  full  abstraction  proofs,  the  forward  implication  follows 
from  the  compositionality  of  the  monotonicity  of  operations  on  trace  sets,  and  the 
fact  that,  for  all  commands  c,  Cdc]]  can  be  extracted  from 
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The  reverse  implication  follows  from  a  case  analysis  similar  to  that  used  in  the  proof 
of  Proposition  4.4.6.  The  main  difference  is  that  the  distinguishing  contexts  must  ac¬ 
count  for  an  observable  behavior  that  is  communication-based  rather  than  state-based. 
Whereas  the  previous  contexts  signal  the  occurrence  of  particular  events  by  setting  the 
values  of  certain  identifiers,  these  contexts  must  signal  such  occurrences  with  visible 
communication  events. 

For  example,  suppose  that  c  has  an  infinite  trace  ((5,ti),  (F,E,i))  that  c'  does  not. 
Let  xi, . . .  ,x„  be  the  free  identifiers  of  c  and  c';  without  loss  of  generality,  dom(j')  = 
{xi , . . .  ,x„}.  Let  hi,...  ,hkbe  the  channel  names  appearing  in  c  and  c',  and  let  a,  b  and 
Cl,.. . ,  Cyt  be  fresh  channel  names.  Finally,  let  the  sets  Gx  and  Gy  be  constructed  from  the 
minimal  a- traces  of  c'  as  in  previous  proofs. 

The  distinguishing  context  we  construct  uses  a  modification  of  the  command  Guess  used 
previously.  Roughly  speaking,  each  pair  of  lines 

2i—  1:  synch:=0;  ((fidvalue  ^  synch:=l)  □  Y^g^cis 
2i:  synch:=0;  ((fi,?value  ^  synch:=l)  □  Ygecis 

in  Guess{H,  G,fl)  of  Figure  4.1  can  be  replaced  by  the  following  pair  of  lines,  where 
Cl,.. .  ,Ck  and  b  are  fresh  channels: 

2i—  1:  ((fidvalue  ^  c^O  ^  c^value)  □  Ygecis  ^10)) 

2i:  ((fi,?value  ^  c,!!  ^  cdvalue)  □  Ygecis  b!0)) 

Each  communication  along  channel  hi  is  signaled  by  two  outputs  along  channel  c,,  the 
first  indicating  whether  input  or  output  occurred  and  the  second  indicating  the  “trans¬ 
ferred  value”.  The  guard  b!0  serves  the  same  purpose  that  the  variable  flag  played  in  the 
previous  proof. 

We  then  let  P[—]  be  the  following  context,  where  we  use  communications  on  channel  a 
to  record  the  initial  state: 

(a!xi  a\x2  ^  . . . alxn  ^  [—]  ||  Guess{H,Gx,  b!0)  ||  g  ^  h\0)\hi\- ■  ■\hk. 

g&Gy 

G[[P[c]]]  contains  a  behavior  corresponding  to  (5,Ti)  in  which  the  communication  b!0 
never  occurs.  In  contrast,  every  behavior  of  G[[P[c']]]  corresponding  to  a  must  eventually 
perform  the  action  b!0.  ■ 


Chapter  5 

Strong  Channel  Fairness 


In  Chapters  3  and  4,  we  constructed  several  trace  semantics  that  incorporate  assumptions  of 
strong  process  fairness  and  yield  full  abstraction  with  respect  to  specific  notions  of  strongly 
fair  behavior.  The  ease  with  which  we  adapted  the  strongly  fair  semantics  to  yield  several  full 
abstraction  results  indicates  a  certain  robustness  of  the  trace  framework.  In  this  chapter,  we 
further  demonstrate  the  framework’s  robustness  by  constructing  a  semantics  that  incorporates 
assumptions  of  strong  channel  fairness.  The  channel-fair  semantics  retains  a  lot  of  the  essence 
of  the  strongly  fair  semantics.  However,  the  additional  burden  of  determining  when  com¬ 
munication  is  enabled  infinitely  often  on  a  given  channel  requires  a  more  complex  semantic 
structure. 

We  begin  by  formalizing  the  concept  of  channel  fairness  and  introducing  a  parameterized 
form  of  channel  fairness.  This  parameterization  of  channel  fairness  admits  a  compositional 
characterization  and  guides  the  construction  of  the  channel-fair  semantics.  The  need  to  de¬ 
termine  when  communication  is  enabled  infinitely  often  on  particular  channels  makes  the  re¬ 
sulting  channel-fair  semantics  more  complex  than  the  strongly  fair  semantics  of  the  previous 
chapter,  and  it  is  not  fully  abstract.  We  conclude  the  chapter  by  discussing  this  lack  of  full 
abstraction:  we  hint  how  the  semantics  might  be  altered  to  achieve  full  abstraction,  and  we 
describe  why  the  lack  of  full  abstraction  is  not  an  indictment  of  either  the  trace  framework  or 
the  channel-fair  semantics. 


5.1  Channels,  Names,  Durations,  and  Scopes 

Informally,  a  computation  is  strongly  channel-fair  if  it  satisfies  the  following  two  conditions: 


•  Every  process  enabled  infinitely  often  makes  progress  infinitely  often. 
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•  Every  channel  on  which  communication  is  enabled  infinitely  often  is  used  infinitely  of¬ 
ten. 

That  is,  strong  channel  fairness  combines  strong  process  fairness  with  additional  constraints 
on  the  use  of  infinitely  enabled  channels.  Thus,  for  example,  every  channel-fair  computation 
of  the  command 


(while  true  do  (alODbll)  ||  while  true  do  (a?xn b?x))\a\b 

uses  each  of  the  channels  a  and  b  infinitely  often,  thereby  changing  the  value  of  identifier  x 
from  0  to  1  (and  vice  versa)  infinitely  often.  Such  a  computation  is  also  strongly  process-fair. 
However,  strong  process  fairness  does  not  require  the  infinite  use  of  both  channels,  as  long  as 
both  processes  make  infinite  progress:  the  infinite  computation  in  which  x  remains  set  to  0  is 
also  strongly  fair. 

To  formalize  strong  channel  fairness,  however,  we  must  make  explicit  what  we  mean  by 
the  term  channel.  So  far,  we  have  used  the  term  in  two  distinct  ways.  First,  we  have  used  it  as  a 
synonym  for  channel  name,  meaning  a  member  of  the  syntactic  class  Chan.  Second,  we  have 
used  channel  to  refer  to  the  abstract  (and  rather  nebulous)  concept  of  a  link  by  which  processes 
communicate  with  one  another  and  their  external  environment;  in  this  sense,  a  channel  is  a 
semantic  entity.  Because  channel  names  provide  the  only  way  to  refer  to  particular  links,  we 
tend  to  blur  the  distinction  between  names  and  links,  using  the  phrase  “channel  a”  to  mean 
“the  channel  designated  by  name  a”.  This  distinction  may  seem  a  trifling  detail,  but  it  is 
crucial  for  defining  and  understanding  channel  fairness.  Intuitively,  the  relationship  between 
channel  names  and  channels  is  analogous  to  that  between  a  procedure’s  local  variables  and 
their  instantiation  during  procedure  activation.  We  make  this  connection  more  explicit  in  the 
following  discussion. 

Let  c  be  a  command  in  which  the  channel  name  occurs  free  (i.e.,  h  e  fcjc]]).  The  restriction 
operator  “\fi”  binds  the  free  occurrences  of  h  in  c,  and  each  occurrence  of  h  in  the  command 
c\h  is  said  to  be  bound.  ^  For  any  command  c  and  channel  name  h,  the  (syntactic)  scope  of 
an  occurrence  of  in  c  is  the  smallest  subcommand  of  c  in  which  that  occurrence  is  bound 
by  h\  when  the  occurrence  is  free  in  c,  its  scope  is  the  command  c  itself.  For  example,  in  the 
command 

2  =  while  true  do  ((alOD  b!l)  ||  (a?xn  b?x))\a, 

the  scope  of  each  occurrence  of  a  is  the  command  ((alOD  b!l)  ||  (a?xn  b?x))\a,  and  the  scope 
of  each  occurrence  of  b  is  the  command  Q.  A  single  name  h  may  have  multiple  scopes  within 
a  program  c,  with  each  scope  being  the  scope  of  some  occurrence  of  h  in  c.  For  example,  in 
the  program 

(a!l||a?x)\a;  (while  true  do  (a!0||a?x))\a, 

Tndeed,  a  more  suggestive  syntax  for  the  command  c\h  might  be  “new  channel  in  c”,  which  emphasizes  the 
similarity  between  channel  names  and  local  variables. 


5.2  Parameterized  Channel  Fairness 
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the  name  a  has  two  different  scopes:  (a!l||a?x)\a  and  (while  true  do  (a!0||a?x))\a. 

During  program  execution,  each  entry  into  a  channel  name’s  scope  creates  a  new  channel, 
and  each  exit  from  a  name’s  scope  destroys  that  channel.  The  duration  (or  extent)  of  a  channel 
is  that  portion  of  the  execution  during  which  the  channel  exists.  For  example,  consider  an 
infinite  computation  of  the  program 

Pi  =  (while  true  do  (alOD b!l  ||  a?xn b?x))\a\b. 

The  two  names  a  and  b  are  associated  with  two  different  channels,  each  of  which  has  infinite 
duration.  Because  communication  is  enabled  on  both  channels  infinitely  often,  every  strongly 
channel-fair  computation  of  Pi  must  change  the  value  of  x  from  0  to  1  (and  vice  versa)  infinitely 
often.  In  contrast,  consider  the  infinite  computations  of  the  program 

P2  =  while  true  do  ((alOD  b!l  ||  a?xn  b?x)\a\b). 

Each  iteration  through  the  loop  creates  (and  subsequently  destroys)  new  channels  identified  by 
the  names  a  and  b;  each  such  channel  has  only  finite  duration.  No  channel  ever  can  be  enabled 
infinitely  often  in  an  infinite  computation  of  P2,  because  no  channel  ever  has  infinite  duration. 
As  a  result,  an  infinite  computation  of  P2  that  never  sets  the  value  of  x  to  1  is  still  strongly 
channel-fair. 

The  programs  Pi  and  P2  illustrate  the  difference  between  channel  names  and  channels, 
as  well  as  the  effect  this  distinction  has  on  channel  fairness:  although  Pi  and  P2  can  match 
each  other  step-for-step,  P2  has  channel-fair  computations  that  do  not  correspond  to  channel- 
fair  computations  of  Pi.  Out  of  necessity,  we  shall  continue  to  refer  to  channels  by  their 
names  throughout  this  dissertation.  However,  it  is  important  to  remember  that  channel  fairness 
involves  assumptions  about  channels,  not  channel  names. 


5.2  Parameterized  Channel  Fairness 

As  demonstrated  in  Section  3.1,  the  fair  computations  of  a  command  cannot  be  characterized 
(in  general)  by  referring  only  to  the  fair  computations  of  its  subcommands.  Synchronous  com¬ 
munication  requires  two  active  participants,  and  hence  the  enabledness  of  a  process  (or  of  a 
particular  communication)  depends  on  the  status  of  other  processes.  The  solution  for  strong 
process  fairness  was  to  consider  “almost  strongly  fair”  computations;  we  adopt  a  similar  ap¬ 
proach  here  for  channel  fairness. 

A  computation  can  fail  to  be  strongly  channel-fair  for  one  of  two  reasons:  (1)  some  pro¬ 
cess  is  enabled  infinitely  often  and  yet  makes  only  finite  progress,  or  (2)  some  channel  on 
which  communication  is  enabled  infinitely  often  is  used  only  finitely  often.  Similarly,  an  “al¬ 
most  channel-fair”  computation  can  be  characterized  by  a  combination  of  process  constraints 
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(representing  the  infinitely  enabled  processes  that  fail  to  make  infinite  progress)  and  channel 
constraints  (representing  the  infinitely  enabled  channels  that  do  not  get  used  infinitely  often). 

It  is  important  to  separate  the  process  and  channel  constraints,  because  they  represent  dif¬ 
ferent  types  of  assumptions.  Intuitively,  the  process  constraints  (which  we  can  represent  by  a 
set  F  of  directions,  as  in  Chapter  3)  correspond  to  infinitely  enabled  processes  that,  when  the 
original  command  is  placed  in  a  larger  context,  cease  to  be  enabled  infinitely  often  and  hence 
are  not  treated  unfairly.  In  this  sense,  process  constraints  limit  the  types  of  communications 
other  processes  are  allowed  to  provide.  In  contrast,  the  channel  constraints  (which  we  can  rep¬ 
resent  by  a  set  FI  of  channels)  correspond  to  infinitely  enabled  channels  that,  when  the  original 
command  is  placed  in  a  larger  context,  cease  to  be  treated  unfairly,  either  because  they  are  no 
longer  enabled  infinitely  often,  or  because  some  other  component  uses  them  infinitely  often. 
Thus,  in  some  sense,  channel  constraints  can  actually  encourage  other  processes  to  perform 
certain  types  of  communications. 

Combining  process  and  channel  constraints,  we  parameterize  strong  channel  fairness  by 
pairs  (F,//),  where  F  is  a  finite  set  of  directions  and  //  is  a  finite  set  of  channels.  Informally, 
a  computation  p  is  channel-fair  mod  (F,//)  if  and  only  if  it  is  strongly  fair  mod  F  and  the 
set  H  contains  exactly^  those  channels  that  are  enabled  infinitely  often  but  used  only  finitely 
often  along  p.  When  the  sets  F  and  FI  are  both  empty,  this  characterization  coincides  with 
the  traditional  notion  of  strong  channel  fairness  introduced  in  Subsection  2.2.2.  The  formal 
characterization  of  parameterized  channel  fairness  follows. 

Definition  5.2.1  A  computation  p  of  command  c  is  strongly  channel-fair  modulo  {F,H)  (or, 
channel-fair  mod  (F,//))  provided  p  satisfies  one  of  the  following  conditions: 

•  p  is  a  finite,  successfully  terminating  computation,  and  //  =  0; 

•  p  is  a  partial  computation  whose  final  configuration  is  blocked  modulo  F ,  and  FI  =  &; 

•  p  is  an  infinite  computation,  c  has  form  (ci;c2),  (if  b  then  ci  else  C2),  or  (g  ^  ci),  and 
the  underlying  infinite  computation  of  ci  or  C2  is  fair  mod  {F,H); 

•  p  is  an  infinite  computation,  c  has  form  (while  b  do  c'),  all  underlying  computations  of 
c'  are  fair  mod  F,  and  H  contains  exactly  those  channels  that  are  enabled  infinitely  often 
but  used  only  finitely  often  along  p; 

•  p  is  an  infinite  computation,  c  has  form  (gci  □gC2),  and  the  underlying  computation  of 
the  selected  gCi  is  fair  mod  (F,//); 

^There  is  an  asymmetry  in  this  parameterization:  the  set  F  is  a  superset  of  a  computation’s  process  constraints, 
whereas  the  set  H  contains  precisely  its  channel  constraints.  Having  //  be  a  superset  of  the  channel  constraints 
would  still  permit  an  accurate  compositional  characterization;  the  choice  to  have  H  contain  exactly  the  relevant 
constraints  merely  simplifies  the  presentation  of  the  channel-fair  trace  semantics  in  the  next  section. 
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•  p  is  an  infinite  computation,  c  has  form  c'\h,  the  underlying  computation  p'  of  c'  is  fair 
modulo  {FU{hl,  hl},H  U  {h}),  and  synchronization  on  h  is  not  enabled  infinitely  often 
along  p'; 

•  p  is  an  infinite  computation,  c  has  form  ci  ||c2,  and  there  exist  sets  Fi,  F2,  Fli,  FI2,  and 
computations  pi  of  ci  and  p2  of  C2  such  that: 

-  Pi  is  fair  mod  {Fi,Hi)  and  P2  is  fair  mod  {F2,H2), 

-  p  can  be  obtained  by  merging  and  synchronizing  pi  and  P2, 

-  F  ^  F1UF2  and  FI  =  FI i  UFI2  —  (uchans(pi)  U  uchans(p2)),  where  uchans(p;)  is  the 
set  of  channels  used  infinitely  often  along  p,-, 

-  neither  p,-  enables  infinitely  often  any  direction  matching  a  member  of  Fj  (i  ^  j), 

-  neither  pi  uses  a  direction  in  Fj  infinitely  often  (i  ^  j).  o 

This  definition  captures  the  inherent  duality  between  process  and  channel  constraints.  Pro¬ 
cess  constraints  are  verified  during  parallel  composition  to  guarantee  that  neither  component 
violates  the  other’s  assumptions,  and  they  are  discharged  through  channel  restriction.  In  con¬ 
trast,  channel  constraints  are  discharged  either  through  parallel  composition  (when  one  com¬ 
ponent  uses  another’s  unused  channels)  or  through  restriction  (provided  synchronization  is  not 
enabled  infinitely  often),  and  they  are  always  verified  during  channel  restriction  to  ensure  that 
no  channel  with  synchronization  enabled  infinitely  often  gets  ignored. 

The  following  examples  illustrate  the  notion  of  parameterized  channel  fairness. 

Example  5.2.2  Consider  the  commands  Qi  =  while  true  do  Q\  and  Q2  =  while  true  do  Q'2, 
where  Q\  and  Q'2  are  defined  as  follows: 

Q'i  =  a!0  ^  (b!0  ^  skip  □  c!0  ^  skip),  Q^2  =  ^  skip  □  b?x  ^  skip). 


•  Let  Pi  be  the  following  computation  of  in  which  channel  b  is  never  used: 

(2i,'^i)  ((a!0  ^  (b!0  ^  skip  □  c!0  ^  skip));2i,5i) 

((b!0  ^  skip  □  c!0  ^  skip);2i,5i) 
(skip;2i,5i)  ^  (2i,5i) 


This  computation  is  channel-fair  mod  (0,  {b}):  no  process  blocks,  and  channel  b  is  the 
only  infinitely  enabled  channel  not  used  infinitely  often. 
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Let  p2  be  the  following  computation  of  Q2  in  which  the  channel  b  is  never  used: 


{QijSz) 


((a!0  ^  skip  □  b?x  ^  skip);225‘^2) 


^  (skip; 02, 52)  ^  (22,^2) 

This  computation  is  also  channel-fair  mod  (0,  {b}). 

Let  p  be  the  following  computation,  which  results  from  an  interleaving  of  the  computa¬ 
tions  Pi  and  P2: 

(2i  II  Q2,s)  {Qi  II  ((a!0^skip  □  b?x  ^  skip);22),5) 

— ^  ((a!0  ^  (b!0  ^  skip  □  c!0  ^  skip)); 2i  ||  ((a!0  ^  skip  □  b?x  ^  skip); 22), 5) 
((a!0  ^  (b!0  ^  skip  □  c!0  ^  skip));2i  ||  (skip; 22), ■s') 

((b!0  ^  skipDcIO  ^  skip);2i  ||  (skip; 22)5'^) 

((skip;2i)  II  (skip;22),5) 

(2i  II  (skip;22),5) 

^  (2i||22,^) 


This  computation  is  channel-fair  mod  (0,  {b}).  Moreover,  because  synchronization  on 
channel  b  is  never  enabled,  the  corresponding  computation  of  (2i  ||22)\b  is  channel-fair 
mod  (0, 0) .  o 

The  next  example  illustrates  how  the  channel  fairness  of  a  computation  can  depend  on  the  order 
in  which  independent  actions  occur. 

Example  5.2.3  Let  pi  and  p2  be  the  computations  defined  in  the  previous  example,  and  let  p' 
be  the  following  computation,  which  also  arises  from  an  interleaving  of  pi  and  P2: 

(2i  II  22,^)  (2i  II  (a!0  ^  skip  □  b?x  ^  skip);22,5) 

— ^  ((a!0  ^  (b!0  ^  skip  □  c!0  ^  skip));2i  ||  (a!0  ^  skip  □  b?x  ^  skip);225‘^) 
n  ((b!0  ^  skip  □  c!0  ^  skip);2i  ||  (a!0  skip  □  b?x  ^  skip);225‘^) 

((b!0  ^  skipDciO  ^  skip);2i  ||  (skip; 22), 5) 

((skip;2i)  II  (skip;22),5) 

(2i  II  (skip;22),5) 

^  (2i||22,^) 


5.3  Channel-Fair  Traces 
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The  computation  p'  is  also  channel-fair  mod  (0,  {b}).  However,  synchronization  on  channel  b 
is  enabled  in  each  of  the  (infinitely  many)  configurations  with  form 

((b!0  ^  skip  □  c!0  ^  skip);2i  ||  (a!0  ^  skip  □  b?x  ^  skip);22,5)- 

As  a  result,  the  computation  of  (2i  1 1  ^2)  \b  that  corresponds  to  p'  is  not  channel-fair  mod  (0, 0) . 

o 

Finally,  the  following  example  highlights  the  dual  nature  of  the  process  and  fairness  constraints. 

Example  5.2.4  Consider  the  following  two  commands 

Cl  =  (b!0  II  while  true  do  (alODcIO)),  C2  =  while  true  do  (c?x  ||  c!0). 

Let  Pi  be  an  infinite  computation  of  Ci  that  repeatedly  uses  channel  a  and  never  uses  channels 
b  and  c;  such  a  computation  is  channel-fair  mod  ({b!},  {b,c}).  Additionally,  let  P2  be  an 
infinite  computation  of  C2  in  which  the  components  c?x  and  c!0  repeatedly  synchronize  with 
one  another;  this  computation  is  channel-fair  mod  (0, 0). 

Finally,  let  p  be  an  infinite  computation  of  Ci  ||C2  that  results  from  some  fair  interleaving  of 
the  computations  pi  and  P2.  The  computation  p  is  channel-fair  mod  ({b!},  {b}):  p2  respects 
Pi’s  process  constraints  (that  is,  it  does  not  enable  b?  infinitely  often  or  use  b!  infinitely  often), 
and  it  discharges  one  of  pi’s  channel  constraints  by  using  channel  c  infinitely  often.  Because 
synchronization  is  not  enabled  on  channel  b  infinitely  often,  it  follows  that  the  corresponding 
computation  of  (Ci  ||C2)\b  is  channel-fair  mod  (0,0).  o 


5.3  Channel-Fair  Traces 

The  definition  of  parameterized  strong  fairness  is  clearly  embedded  in  the  definition  of  param¬ 
eterized  channel  fairness.  Moreover,  the  only  difference  between  the  two  definitions  is  that  the 
latter  also  manipulates  sets  H  of  channel  constraints.  This  strong  connection  might  lead  us  to 
expect  that  we  can  construct  appropriate  channel-fair  traces  simply  by  adding  to  the  strongly 
fair  traces  an  additional  component  that  records  the  relevant  channel  constraints:  for  example, 
the  trace  (a,  i))  might  represent  a  channel-fair  mod  {F,H)  computation  with  infinitely 

enabled  directions  E. 

Unfortunately,  the  apparent  simplicity  of  the  parameterized  channel-fairness  definition  ob¬ 
scures  an  important  fact:  determining  whether  synchronization  is  enabled  on  a  particular  chan¬ 
nel  requires  more  information  than  merely  the  sets  of  directions  enabled  along  a  transition 
sequence.  For  example,  recall  the  commands 

2^  =  a!0  ^  (b!0  ^  skipDcIO  ^  skip),  Q2  =  (a!0  ^  skip)  □  (b?x  ^  skip) 
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from  Examples  5.2.2  and  5.2.3.  The  eommand  ||22  different  eomputations  that  ean 

eaeh  be  represented  by  the  simple  traee 

(5,  a !0, 5)  {s,  a !0, 5)  (5,  c!0, 5)  (5, 8,  s)  (5, 8,  s) , 

one  in  whieh  Q[  makes  the  first  move  and  one  in  whieh  Q2  makes  the  first  move.  In  eaeh  ease, 
input  and  output  are  both  enabled  on  ehannel  b,  but  synehronization  on  ehannel  b  is  enabled 
only  when  makes  the  first  transition.  Simply  knowing  that  Q[  enables  b!  and  Q2  enables 
b?  along  their  respective  computations  is  insufficient  to  determine  whether  synchronization  on 
channel  b  is  enabled:  we  also  need  to  know  whether  b!  and  b?  are  enabled  at  the  same  time. 
Generally  speaking,  even  knowing  that  both  directions  of  a  given  channel  are  enabled  at  the 
same  time  may  still  be  inadequate  for  determining  whether  synchronization  is  enabled.  For 
example,  consider  the  following  two  commands 

23  =  (a!0nb?x)  II  (a!0nb!0), 

24  =  (a!0^  (a!0nb!0))  □  (a!0^  (a!0nb?x)) 

□  (b?x^  (a!0nb!0))  □  (b!0  ^  (a!0nb?x)), 

both  of  which  have  computations  that  can  be  represented  by  the  simple  trace  (5,  a  !0, 5)  (5,  a  !0, 5) . 
In  each  case,  both  b!  and  b?  are  enabled  in  the  initial  configuration.  However,  synchronization 
on  channel  b  is  enabled  only  along  the  computation  of  23- 

For  this  reason,  we  consider  sequences  of  enabling  sets,  which  are  finite  sets  of  channels 
and  directions  such  that  the  channel  h  appears  only  in  sets  that  also  contain  the  directions  hi 
and  hi.  Intuitively,  the  presence  of  channel  h  in  an  enabling  set  E  indicates  that  synchronization 
on  channel  h  is  enabled,and  the  absence  of  h  indicates  that  synchronization  on  h  is  not  enabled. 
Given  commands  ci  and  C2  with  enabling  sets  Ei  and  E2,  respectively,  the  set 

El \\E2  =  Ei[JE2U{h\3d  e  El.  d  e  E2  &  chan(d)  =  h} 

represents  the  enabling  set  of  the  parallel  command  ci  ||c2:  the  parallel  command  can  perform 
any  action  either  component  can,  and  it  can  also  synchronize  on  any  channel  on  which  the  two 
components’  enabling  sets  match. 

For  any  configuration  {c,s),  comms(c,  5)  is  the  set  of  directions  and  channels  that  describe 
the  possible  communications  from  the  configuration  {c,s).  A  structurally  inductive  definition 
of  comms(c,5)  appears  in  Figure5.1.  The  set  comms(c,5)  is  related  to  the  set  in  its  (c,  5),  except 
that  it  may  include  channels  and  it  never  includes  8:  in  particular,  the  channel  h,  rather  than 
the  label  8,  indicates  the  possibility  of  synchronization  on  channel  h.  As  is  clear  from  the 
inductive  definition,  channels  appear  in  com  ms  (c,  5)  only  through  parallel  composition.  Thus, 
for  example,  the  programs  23  and  Q4  described  earlier  can  be  distinguished  based  on  their 
initial  enabling  sets:  comms(23,5)  =  {a!,  b!,  b?,  b},  whereas  comms(24,5)  =  {a!,  b!,  b?}. 
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comms(skip,5) 

=  0 

comms(/:=e,  5) 

=  0 

comms(ci;c2,5) 

=  comms(ci,  5) 

comms(if  b  then  ci  else  C2,5) 

=  0 

comms(while  b  do  c^s) 

=  0 

comms(fi?/,5) 

=  {*?} 

connms(fi!e,  5) 

=  {h\} 

comms(g  ^  c,5) 

=  comms(g,5) 

connms(gci  □gC2,5) 

=  comms(gci,5) 

Uconnms(gC2,5) 

comms(ci  C2,5) 

=  comms(ci,  5) 

connms(c2,5') 

comms(c\fi,  5) 

=  comms(c,5)  — 

Figure  5.1:  Inductive  definition  of  comms(c,5'). 


Reusing  the  set  of  simple  traces  defined  in  Section  3.3,  we  can  now  define  the  set 

of  channel-fair  traces  by 

X  (Tfin(A+)  X  Tfin(A+)  X  Tfin(AuChan)“  x  {f,p,  i}). 

Intuitively,  the  trace  (a,  (F,  t/,  £,  f ))  represents  a  (necessarily  channel-fair)  successfully  termi¬ 
nating  computation  having  the  finite  sequence  £  of  enabling  sets  and  the  set  U  of  enabled  but 
unused  channels.  The  trace  (a,  (F,  t/,  £,  i))  represents  an  infinite,  fair  mod  (F,  t/)  computation 
having  the  infinite  sequence  £  of  enabling  sets.  Finally,  the  trace  (a,  (F,0,  £,p))  represents  a 
partial  computation  having  the  finite  sequence  £  of  enabling  sets;  as  in  strongly  fair  traces,  the 
set  F  is  a  superset  of  inits(c/t,  Sk),  where  (c^,  Sk)  is  the  final  configuration  of  p. 

For  any  computation  p,  trace(p)  is  (as  before)  the  simple  trace  that  records  the  transitions 
made  along  p,  and  unused(p)  is  the  set  of  channels  that  are  enabled  but  not  used  along  p.  We 
also  define  En(p)  to  be  the  sequence  of  enabling  sets  encountered  along  the  computation  p. 
For  example,  if  p  is  the  (possibly  partial)  computation 


P 


(c,5o) 


{Ck,Sk), 


then  the  sequence  En(p)  is  defined  as  En(p)  =  (Fo,Fi, . . .  ,Ek),  where  F,  =  comms(c,,5,)  for 
each  i.  Note  that,  when  the  configuration  {ck,Sk)  is  terminal,  the  set  =  connms(cyt,5/t)  =  0. 
Moreover,  for  any  finite  transition  sequence  p  of  length  k,  En(p)  is  a  sequence  of  A:-|-  1  sets. 
For  technical  reasons  that  will  be  made  explicit  in  the  next  section,  it  is  important  to  record  the 
types  of  communications  enabled  in  the  final  configuration  of  a  transition  sequence. 
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Using  these  definitions,  we  ean  give  an  operational  eharacterization  of  a  ehannel-fair  traee 
semanties  %h  :  Com  ^  as  follows: 

=  {(trace(p),(F,unused(p),En(p),f))  | 

p  =  (c,5o)  {ci^si)  •••  (cyt,5/t)term  is  ehannel-fair  mod  (F,0)} 
U{(trace(p),(F,0,En(p),p))  |F  D  inits(c^,5fe)  & 

p  =  (c,5o)  ^  (ci,5i)  ^  ^  {ck,Sk)  &  ^(cfc,5yt)term} 

U{(trace(p),(F,t/,En(p),i))  | 

p  =  (c,5o)  •••  •••is  ehannel-fair  mod  {F,U)}. 

5.4  Channel-Fair  Trace  Semantics 

To  give  a  denotational  eharaeterization  of  the  semantie  funetion  %h,  we  follow  the  approaeh 
taken  in  Seetion  3.3:  for  eaeh  language  eonstmet,  we  introduee  an  operation  on  traee  sets  that 
reflects  the  construct’s  operational  behavior.  Because  the  semantic  operators  reflect  operational 
behavior,  they  retain  the  flavor  of  the  operators  introduced  on  strongly  fair  trace  sets.  In  fact, 
the  manipulation  of  the  simple-trace  components  and  the  fairness  sets  F  remains  the  same.  As 
a  result,  the  explanations  of  the  semantic  operators  that  follow  focus  on  the  new  aspects  of 
channel-fair  traces,  namely  the  sequences  of  enabling  sets  and  the  sets  of  insufficiently  used 
channels. 

We  begin  with  a  semantic  function  %h  :  BExp  ^  ‘F{^ch)  such  that,  for  each  boolean  ex¬ 
pression  b. 


%hm  =  {((5,8,^),(F,0,(0,0),f))|(5,tt)e!SM&FeTfin(A)} 

U  {(8„(F,0,(0),p))  I  (^,tt)  e  ‘Bib]]&F^{z}}. 

Intuitively,  each  finite  trace  ((5,8,5),  (F,0,  (0,0),f))  in  %v\b'^  represents  a  transition  made  in 
the  evaluation  of  the  boolean  expression  b,  either  to  unroll  a  loop  or  to  select  the  appropriate 
component  of  a  conditional.  Such  a  step  (taken  in  isolation)  is  fair  mod  F  and  has  no  com¬ 
munications  enabled  along  it.  Similarly,  the  partial  trace  (8^.,  (F,0,  (0),p))  indicates  that,  from 
any  initial  state  5  satisfying  b,  there  is  exactly  one  type  of  transition  possible,  and  it  involves  an 
internal  action. 

Based  on  the  operational  characterization  of  %h,  it  is  easy  to  see  that 

<r,4skip]]  =  {((5,8,5),  (F,0,  (0,0),f))  \seS&Fe  Tfin(A)} 

U  {(8„(F,0,(0),p))|5eS&FD{8}} 
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and 


%hii'-=e\\  =  {((5,e,  [s\i  =  n]),{F,(l),  (0,0), f))  |  /  e  dom(5)  &  F  e  J’fin(A)  &  {s,n)  e  F[[e}} 
U{(8^,  (F,0,  (0),p))  I  fv[[/:=el]  C  dom(5)  &  FD  {e}}. 

Because  neither  skip  nor  assignment  enables  communication  along  any  channels,  none  of  their 
traces  include  any  insufficiently  used  channels. 

For  guards,  we  obtain  the  following  semantic  definitions: 

=  {{{s,hln,  [5|/  =  n]),  (F,0,  ({fi?},0),f ))  |  i  G  dom(j')  &  n  G  Z  &  F  G  CPfin(A)} 

U  {(8^,  (F,0,{fi?},p))  I  i  G  dom(5)  &  F  D  {hi}}, 

%hlhH  =  {{{s,h\n,s),{F,d,{{h\},d),f))\{s,n)eFM&Fe7UA)} 

U  {(8^,  (F,0,{fi!},p))  I  fv[[e]]  C  dom(5)  &  FD  {fi!}}. 

The  successful  computations  of  hli  and  h\e  necessarily  use  channel  h,  the  only  channel  on 
which  communication  is  enabled.  As  a  result,  their  traces  do  not  include  any  insufficiently 
used  channels. 

Sequential  composition 

The  composability  criterion  for  channel-fair  traces  is  the  same  as  that  for  strongly  fair  traces: 
cpi  and  92  are  composable  whenever  91  is  an  infinite  or  partial  trace,  or  when  91  is  a  finite  trace 
and  the  initial  state  of  92  is  the  final  state  of  91.  When  91  is  an  infinite  or  partial  trace,  the 
concatenation  9192  is  simply  the  trace  91.  When  91  is  a  finite  trace,  the  concatenation  9192 
must  account  accurately  for  the  sequences  of  enabling  sets  as  well  as  for  the  unused  channels 
of  the  resulting  trace.  We  discuss  these  concerns  in  turn. 

A  finite  trace  91  =  (a,  (Fi,  t/i,  £i,f ))  represents  a  successfully  terminating  computation  pi 
of  some  command  c\.  However,  when  pi  is  used  to  generate  a  computation  of  the  command 
(ci;c2),  the  final  configuration  of  pi  is  skipped:  ci’s  final  action  instead  leads  to  the  initial 
configuration  of  a  computation  of  C2.  Likewise,  in  combining  the  finite  trace  91  with  a  trace 
tP2  =  (P,  (^2,  U2,  ^2^R2)),  the  final  element  of  £1  should  not  appear  in  the  resulting  trace’s  se¬ 
quence  of  enabling  sets.  Therefore,  for  sequences  £1  and  £2,  we  let  £i£2  indicate  the  standard 
notion  of  sequence  concatenation,  and  we  define  £1  •  £2  to  be  the  sequence  that  looks  like  £1 
(with  its  final  element  removed),  followed  by  £2.  For  example,  if  £1  =  (Ao,Ai, . . .  ,Ak-\,Ak) 
and  £2  =  . .  ,Bn),  then  £i£2  and  £1  •  £2  are  defined  as  follows: 


£i£2  =  (Ao,Ai,...  ,Ak-i,Ak,Bo,Bi,...  ,Bn), 
£1  •  £2  =  (Ao,Ai, . . .  ,A]^_i,Bq,Bi,  . . .  ,Bn). 
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The  sequence  £i  •  £2  accurately  represents  the  sequence  of  enabling  sets  encountered  along 
(the  computation  represented  by)  the  trace  cpi(p2. 

The  definition  of  concatenation  must  also  account  properly  for  the  insufficiently  used  chan¬ 
nels  of  the  resulting  trace.  When  combining  the  finite  trace  cpi  =  (a,  £i,f))  with  a 

partial  or  infinite  trace  92  =  ((3,  (£2,  t/2,  £2,£2))>  the  set  U2  adequately  represents  the  channel 
constraints  of  the  resulting  trace:  cpicp2  is  either  partial  (in  which  case  the  set  t/2  =  0  is  appro¬ 
priate)  or  infinite  (in  which  case  tpi’s  finitely  enabled  channels  are  irrelevant).  However,  the 
case  where  both  traces  are  finite  requires  more  care:  a  trace’s  set  of  unused  channels  is  defined 
relative  to  the  directions  enabled  along  the  trace,  and  one  trace  may  use  some  of  the  other’s 
unused  channels.  The  enabled  but  unused  channels  of  cpi(p2  are  those  channels  in  U\  that  are 
not  used  along  92,  combined  with  those  channels  in  U2  that  are  not  used  along  cpi.  For  each 
trace  tp,,  the  used  channels  of  cp,  are  those  channels  that  appear  along  the  sequence  8.i  but  not 
in  the  set  Ui.  Given  an  enabling  set  E,  we  let  chans(£')  be  the  set  of  channels  with  directions 
mE: 

chans(£')  =  {£  |  G  £'.chan(J)  =  h}. 

Likewise,  chans(£)  is  the  set  of  channels  with  directions  occurring  along  the  sequence  £:  a 
channel  h  is  in  chans(£)  if  there  is  a  set  E  occurring  along  £  such  that  £  is  in  chans (F).  It 
follows  that  the  used  channels  of  the  finite  trace  cp,  can  be  given  by  the  set  chans(£,)  —  Ui,  and 
the  unused  channels  of  the  trace  (pi(p2  can  be  given  by  the  set 

(f/i  -  (chans(£2) -t/2))  U  (t/2  -  (chans(£i)  -  t/i)). 

We  therefore  define  concatenation  on  the  finite  trace  tpi  =  (a,  (Fijt/i,  £i,f))  and  the  finite, 
partial,  or  infinite  trace  92  =  (P,  (£2,  t/2,  £2,^2))  by 

(pi(p2  =  (cxP,  (£2,t/,  £1  •  £2,^2), 


where  the  set  U  of  insufficiently  used  channels  is  in  turn  defined  as 
(t/i  -  (chans(£2)  -  t/2))  U  (t/2  -  (chans(£i)  -  t/i)), 


t/  = 


U2, 


ifi?2  =  f, 
if£2  e  {i,p}. 


As  before,  we  define  sequential  composition  on  trace  sets  £1  and  £2  by 

£i;£2  =  {9i92  I  cpi  e  £1  &  92  e  £2  &  compo5aWe(9i,92)}, 


and  thus  we  can  define 


%h^Ci-,C2}i  =  %h^Ci\,%h\c2^, 

%h[[g^c\]  =  %h[[gl,%h[[cl 


and 


%hld  b  then  n  else  C2J  =  %hibf,%hici^  U  %hi-^bf,%hic2\ 
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Iteration 

Let  ((pj)^Q  be  an  infinite  sequence  of  channel-fair  traces  such  that,  for  each  i  >  0,  %  = 

oo 

(a,,  {Fi,  Ui,  Ei,Ri)).  The  sequence  is  composable  if  the  set  lyj  Fi  is  finite  and  (for  each 

i—O 

i)  the  traces  cpotpi  •  •  •  9;-!  and  cp,  are  composable. 

When  each  tp,  is  finite,  the  insufficiently  used  channels  of  the  infinite  concatenation  are 
those  channels  that  appear  in  infinitely  many  sets  Ui  and  in  only  finitely  many  sets  chans(£,)  — 
Ui.  Thus  we  define  the  infinite  concatenation  of  the  infinite  sequence  ((p!)^o  of  finite  traces  to 
be 


(p0(pl(p2--- 


(aotti  Fi,  m  Ui  -  m  (chans(£,)  -  t/,),£o-  £i  •  £2-  •••  ,i)), 

i—O  i—0  i—0 


where  £0  •  £1  •  £2  •  •  •  •  is  the  obvious  extension  of  the  operation  £1  •  £2  to  the  infinite  series  of 
finite  sequences  £,. 

When  at  least  one  of  the  traces  cp,-  is  partial  or  infinite,  then  the  first  such  cp;  provides  the 
relevant  contextual  information  for  the  resulting  trace;  thus,  if  tp^t  is  the  first  nonfinite  trace, 
then  the  infinite  concatenation  of  the  sequence  ((P;)^o 

9otPl92  •  •  •  ^0  ‘  S 1  ‘  E2  ■ . . .  ■  £/^,  Fk')  )  • 


Finite  iteration  on  the  trace  set  T  is  again  defined  by 


r*  =  IJ  r, 

i^O 


where  we  define  T®  =  {(8^,  (0,0,  (0),f))  |  5  e  5}  and  =  T'';T.  Infinite  iteration  on  the 
trace  set  T  is  defined  as  follows: 


r“  =  {cpo9i  •  •  -  tP/t  -  •  •  I  (V/  >  O.cp,  e  r)  &  compo5aWe(((p,)^o)}. 
Using  these  definitions,  we  give  the  following  semantics  for  loops: 

<2;./, [[while  b  do  c]]  =  (T;/,[[Z7]];T;/,[[c]])“U  (Tc/,[[Z7]];T;/,[[c]])*;‘2;/,[[^Z7]]. 


Guarded  choice 

Every  computation  p  of  gc  1  or  gC2  induces  a  computation  of  gc  1  □  gC2  that  looks  like  p ,  with  the 
following  exception:  the  actions  enabled  in  its  initial  configuration  are  those  actions  enabled  by 
either  component.  Intuitively,  every  channel-fair  trace  tp  of  gci  or  gC2  should  likewise  induce 
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a  channel-fair  trace  of  gci  OgC2  that  looks  like  cp,  with  the  following  related  exception:  its 
initial  enabling  set  should  contain  those  directions  initially  enabled  by  either  component.  For 
example,  if  (pi  =  (e^a,  (Fi,  t/i,  (£'i)£i,i?i))  represents  a  computation  of  the  chosen  component 
and  (p2  =  (e^.,  (£2,0,  (£’2),?))  is  an  initial  partial  trace  of  the  unchosen  component,  then  there 
is  a  computation  p  of  gci  □gC2  whose  representative  trace  has  simple-trace  component  a  and 
initial  enabling  set  Ei  UE2.  When  cpi  is  finite,  we  may  also  need  to  update  the  resulting  trace’s 
set  of  unused  channels.  The  insufficiently  used  channels  of  the  finite  computation  p  are  those 
channels  used  insufficiently  along  tpi  (i.e.,  Ui)  plus  those  channels  in  £2  that  are  not  enabled 
along  tpi  (i.e.,  £2  —  chans((£i)£i)). 

We  therefore  define  guarded  choice  on  channel-fair  trace  sets  as  follows: 

rinr2  =  {(a,(£i,t/i,(£iU£2)£i,£i))  |£i  e  {p,i} 

&  (8,a,(£i,t/i,(£i)£i,£i))  e  £1  &  (8„(£2,0,  (£2),?))  e  £2} 
u  {(a,  (£2, £2,  (£1  U£2)£2,£2))  I  Ri  e  {p,  i} 

&  (8,a,(£2,t/2,(£2)£2,£2))  e  £2  &  (8„(£i,0,  (£i),p))  e  £1} 

U  {(a,  (£1,  £1  U  (chans(£2)  -  chans((£i)£i)),  (£iU£2)£i,  f))  | 

(8,a,  (£i,£i,(£i)£i,f))  e  £1  &  (8„(£2,0,  (£2),?))  e  £2} 

U  {(a, (£2,  £2U(chans(£i)-chans((£2)£2)),  (£iU£2)£2,  f))  | 

(8,a,  (£2,£2,(£2)£2,f))  e  £2  &  (8„(£i,0,  (£i),p))  e  £1}. 

Unlike  the  definition  of  guarded  choice  for  strongly  fair  trace  sets,  this  definition  needs  to 
account  accurately  for  the  initial  enabling  sets  and  the  sets  of  unused  channels.  However,  the 
underlying  essence  of  the  operation  remains  the  same.  We  define 

%hlgCl  □gC2l]  =  %h[[gCl]]D%,[[gC2]]. 


Channel  restriction 

For  process-fair  trace  sets,  the  trace  set  T\h  is  constructed  from  the  set  £  by  discarding  those 
traces  that  use  channel  h  visibly,  and  then  removing  h\  and  hi  from  the  enabling  and  fairness 
sets  of  the  traces  that  remain.  We  can  define  a  similar  operation  on  channel-fair  trace  sets, 
but  this  operation  must  also  verify  that  the  fairness  constraints  on  channel  h  are  satisfied.  In 
particular,  we  should  discard  any  infinite  trace  cp  =  (a,  (£,  £,  £,  i))  that  has  the  channel  h  both 
in  its  set  £  of  insufficiently  used  channels  and  in  infinitely  many  of  the  sets  along  its  sequence 
£  of  enabling  sets:  such  traces  correspond  to  non-channel-fair  computations  that  use  channel  h 
only  finitely  often  despite  having  synchronization  on  h  enabled  infinitely  often.  For  a  sequence 
£  of  enabling  sets,  we  let  iyj£  be  the  set  of  directions  that  appear  in  infinitely  many  of  the  sets 

along  £,  and  we  discard  any  trace  for  which  h^U  and  /z  G  iyj£. 
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For  any  enabling  set  E,  E\h  is  the  set  that  results  from  removing  all  references  to  channel 
h\  E\h  =  E  —  {hl,hl,h}.  This  operation  extends  to  sequences  of  sets  in  the  obvious  way: 
for  example,  {Eo,Ei,E2, . . .  ,Ek)\h  =  {Eo\h,Ei\h,E2\h, . . .  ,Ek\h).  Given  a  trace  set  T  and  a 
channel  h,  we  then  define  the  channel  restriction  of  /z  on  T  by 

T\h  =  {{a,  {E', U\h,  E\h,  f))\  {a,  {E, U,  E,  f))  eT  &E'DE\h  &h^chans{a)} 

U  {(a,(F',0,£\/z,p))  I  (a,(F,0,£,p))er&F'DF\/z&/z^chans(a)} 

U  {(a,  (F',  U\h,  E\h,  i))  I  (a,  {E,U,E,i))eT 

&{heU  h^\^E)&E'D  E\h  &h^  chans(a)}, 


and  we  define  %h[[c\h]\  =  %hlc]\\h. 

Parallel  composition 

Parameterized  channel  fairness  relies  on  two  types  of  fairness  constraints:  process  constraints, 
which  place  limits  on  which  computations  can  be  combined  through  parallel  composition,  and 
channel  constraints,  which  place  limits  on  which  computations  can  be  “restricted”  (in  the  sense 
of  channel  restriction).  Because  only  the  process  constraints  affect  which  computations  can  be 
combined  meaningfully,  the  mergeability  requirements  (and  the  mergeable  predicate)  remain 
the  same  as  for  process  fairness,  modulo  the  need  to  extract  the  set  of  infinitely  enabled  direc¬ 
tions  from  the  sequence  of  enabling  sets.  For  channel-fair  traces  tpi  =  (ai ,  (Fi ,  t/i ,  £  i ,  i?i ) )  and 
92  =  (OC25  (^2,  U2,  E2,R2)),  we  define  the  predicate  mergea We (91, 92)  as  follows: 

mergea We (9 1,92)  {Ri  =  f )  or  {R2  =  f)  or  {R\  =  i?2  =  p)  or  (e  ^  UF2 

&  -'match(Fi,  iyj£2)  &  -'match(F2,  iyj£i)  &Finvis(a2)  =  0  &  F2nvis(ai)  =0). 

This  predicate  makes  no  mention  of  the  sets  U\  and  U2'-  channel  constraints  are  orthogonal  to 
the  issue  of  mergeability. 

To  define  a  fairmerge  operation  on  channel-fair  traces,  we  employ  an  approach  similar 
to  that  taken  in  Section  3.3,  defining  new  sets  both  and  one  that  account  for  traces’  unused 
channels  and  sequences  of  enabling  sets.  However,  before  constructing  these  sets,  we  need  to 
define  several  auxiliary  operations. 

We  begin  by  introducing  a  concatenation-like  operator  •  on  channel-fair  traces  that  allows  us 
to  combine  traces  that  represent  segments  of  computations  (rather  than  complete  computations) 
while  maintaining  accurate  enabling  information.  The  idea  is  that,  given  two  traces  91  and  92, 
their  fair  merges  are  defined  by  interleaving  and  synchronizing  finite  portions  of  each  (at  least 
until  one  or  both  traces  “run  out”)  and  then  combining  all  of  the  partial  results.  To  record  the 
sequences  of  enabling  sets  accurately,  we  need  a  way  to  split  each  cp,-  into  the  appropriate  finite 
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portions  without  losing  any  of  the  relevant  enabling  information.  For  example,  consider  the 
transition  sequence 

P  =  (c,5o)  ^  •••  ^  {Cn,Sn), 

which  can  be  separated  into  the  following  two  transition  sequences  (for  any  k): 


Pi 

P2 


(C,50)  - ^  ^ 

{Ck,Sk}  - ^  {Ck+l,Sk+l}  - > 


{Ck,Sk), 
K 


{Cm  ^n)  • 


For  each  p,  there  are  as  many  such  decompositions  as  there  are  configurations  occurring  along 
p;  in  each  case,  the  final  configuration  of  pi  is  the  initial  configuration  of  p2.  If  we  let  channel- 
fair  traces  cpi  and  (p2  represent  pi  and  P2,  respectively — ignoring  for  the  moment  that  pi  is  not 
a  successfully  terminating  computation — then  we  should  be  able  to  define  an  operation  tpi  •  92 
that  represents  the  computation  p.  The  trace  cpi  •  92  needs  to  be  defined  only  when  91  is  a 
finite  trace  with  form  (tti,  (Fi,  £i(X),f ))  and  92  has  form  (a2,  (F2,  {X)8.2,R)) — that  is,  when 
the  final  enabling  set  of  91  is  the  first  enabling  set  of  92.  In  such  cases,  we  define 

91-92  =  (aia2,(F2,£i(X)£2,^)), 


which  indeed  is  a  valid  representation  for  the  computation  p .  (Note  that,  when  defined,  the  trace 
9i  •  92  is  precisely  the  more  general  concatenation  9192-  We  can  also  extend  this  operation  to 
infinite  sequences  of  traces  in  the  obvious  way,  basing  it  on  infinite  concatenation.)  We  then 
extend  this  operation  to  sets  of  triples  of  traces  in  the  obvious  way:  for  sets  Yi  and  12, 

Fi-T2  =  {(9i-9i, 92-92, 93-93)  I  (9i,92,93)  e  Fi  &  (9^, 92, 93)  e  72 

&  9i  •  9i,  92  •  92,  93  -  93  defined}. 

We  also  define  the  obvious  iterative  extensions  to  the  dot  operator.  For  a  set  7  of  triples  of 
traces,  the  finite  iteration  of  7  is  defined  by 


y*.  _ 


Ur. 


!=0 


where  7®  =  {(9,9,9)  |  3^  e  S,X  e  9fin(A).9  =  (e,,  (0,0,  (X),f ))}  and  7"+i  =  7"-7.  The 
infinite  iteration  of  7  is  defined  by 


7“*  =  {(9o •  9i  •  . . .  •  9fc  • . . . ,9[)  •  9;  •  . . .  •  9}  • . . . ,9[; •  9'/ •  . . .  •  9}'  • . . .)  I 

Vi  >  0.  (9/,  9-,  9")  e  7  &  (pi-  9,+i ,  9-  •  9'+i ,  9''  •  9"+^  are  all  defined}. 


We  again  make  use  of  the  interleaving  (ajj  |3)  and  merging  (a||(3)  operators  on  simple  traces, 
and  we  introduce  corresponding  operators  on  sequences  of  enabling  sets.  For  a  (finite  or  infi¬ 
nite)  sequence  £  and  the  enabling  set  E,  8. WE  is  the  sequence  £  with  the  set  E  propagated:  for 
example, 

(Fo,£i,£2,  ...,Ek)WE  =  {Eq\\E,  Fi  ||F,  F2IIF,  -  -  -  M\E)- 
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For  finite  sequences  £i  =  (Ao,Ai,...  and  £2  =  (5o,5i,...  ,5„),  the  sequence  £i]J£2  is 
the  sequence  £1  (with  the  set  Bq  propagated)  followed  by  the  sequence  £2  (with  the  set 
propagated).  That  is, 

^iW^2  =  (£iiJ5o)  •  (£2]jAfc)  =  (Ao||5o,  Ai||5o,  ,  Afc_i||5o,  A^||5o,  Ak\\Bi,  ... ,  Afc||5„). 

Intuitively,  if  £1  is  the  sequence  of  enabling  sets  occurring  along  the  transition  sequence  rep¬ 
resented  by  a  and  £2  is  the  sequence  of  enabling  sets  for  |3,  then  £i]J£2  is  the  sequence  of 
enabling  sets  that  occurs  along  the  transition  sequence  represented  by  a]J  (3.  This  definition  re¬ 
quires  knowing  which  directions  are  enabled  in  the  final  configuration  of  a  transition  sequence 
(and,  indeed,  it  is  precisely  for  this  reason  that  we  include  the  final  enabling  set  in  the  channel- 
fair  traces).  After  one  component  performs  its  transitions  a,  the  directions  enabled  in  its  final 
configuration  remain  enabled  as  the  other  component  makes  its  transitions  (3.  For  example, 
consider  the  transition  sequences 

Pi  =  (a!0  ^  b!0  ^  a?x,5i)  (b!0  ^  a?x, ^i)  (a?x,5i) 

and 

p2  =  (a!l  ^  b!l,52)  ^  (b!l,52), 
which  can  be  interleaved  to  yield  the  following  transition  sequence: 

p  =  ((a!0  ^  b!0  ^  a?x)  II  (a!l  ^  b!l), 5)  ((b!0  ^  a?x)  ||  (a!l  ^  b!l),5) 

(a?x  II  (a!l  ^  b!l),5) 

(a?x  II  b!!,^). 

Just  before  the  right  component  makes  its  a!l  transition,  the  direction  a? — which  is  enabled 
in  the  final  configuration  of  pi — is  also  enabled  for  the  parallel  command.  The  transition 
sequences  pi  and  p2  can  be  represented  by  the  channel-fair  traces 

(pi  =  ((5i,a!O,5i)(5i,b!O,5i),(0,0,({a!},{b!},{a?}),f)) 
and 

92  =  ((52,a!l,52),(0,0,({a!}>{b!}),f))- 
The  sequence  of  enabled  sets  along  p  can  therefore  be  defined  by 

({a!},{b!},{a?})^({a!},{b!})  =  ({a!},{b!,a!},{a?,a!,a},{a?,b!}). 

Finally,  analogous  to  the  definition  of  a||(3  for  matching  simple  traces  a  and  (3,  we  define 
the  operation  £1 1|£2  when  £1  and  £2  are  sequences  of  enabled  sets  with  equal  length.  That  is, 
if  £1  =  (Ao,Ai,...  ,Ak),  £2  =  {Bo,Bi,...  ,Bn),  andk  =  n,  we  define 

£i||£2  =  (Ao||5o,  Ai||5i,  ...,Ak\\Bk). 
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Intuitively,  £i||£2  represents  the  sequence  of  enabling  sets  encountered  along  a  transition  se¬ 
quence  in  which  the  two  components  of  a  parallel  command  repeatedly  synchronize  with  one 
another. 

With  these  operations  in  hand,  we  can  define  the  related  operations  cpijj  92  and  cpi  || 92  on  fi¬ 
nite  channel-fair  traces.  For  finite  traces  cpi  =  (tti,  (Fi,t/i,£i,f))  and  92  =  (a2,  (£2,1/2,  £2,f)) 
such  that  ai]Ja2  is  defined,  we  define 

(pi^(p2  =  {(ai^a2,  (F,  {U1-M2)  U  (t/2-Mi),  £i^£2,f))  I  F  D  (Fi  UF2)}, 

where  we  again  let  Mi  =  chans(£i)  —  Ui  and  M2  =  chans(£2)  —  U2  be  the  sets  of  used  channels 
for  cpi  and  92.  Intuitively,  each  trace  cp  e  (pi]J(p2  represents  a  transition  sequence  of  a  parallel 
command  in  which  one  component  performs  actions  corresponding  to  tpi,  followed  by  the 
other  component  performing  actions  corresponding  to  92-  Likewise,  for  matching  finite  traces 
(pi  =  (tti,  (Fi,  t/i,  £i,f ))  and  92  =  («2,  (£2,1/2,  £2,f)),  9i||92  is  the  set  of  traces  corresponding 
to  their  synchronization  at  each  step: 

91 1192  =  {(«!  ||a2,  (F,  1/1 U 1/2,  £1  ||£2, f ))  I  F  ^  (Fi  U£2)}. 

In  the  case  of  synchronization,  the  two  traces  necessarily  use  the  same  channels;  as  a  result, 
the  set  of  insufficiently  used  channels  is  simply  U\  U  I/2.  We  can  now  define  the  set  both  C 
^ch  X  ^ch  X  whose  triples  represent  transition  sequences  made  while  both  components 
are  active,  as  follows: 

both  =  {(91,92,9), (92,91,9)  I  9i  =  (a,(£’i,l/i,£i,f))  &92  =  (13,(£’2,l/2,£2,f))  & 

disjoint(a,  |3)  &  9  G  9i]j92} 

U  {(91,92,9)  I  9i  =  (cx,  (Fi,!/!,  £i,f))  &  92  =  (P,  (£2,1/2,  £2,f))  & 

disjoint(a,  P)  &  match(a,  P)  &  9  G  91 II92}. 

Once  one  component  of  a  parallel  command  has  either  terminated  successfully  or  become 
permanently  blocked,  the  remaining  component  may  proceed  uninterrupted.  Of  course,  the 
remaining  component  may  itself  eventually  terminate,  or  it  may  become  blocked  (modulo  some 
set  F),  or  it  may  proceed  indefinitely.  We  extend  the  operator  ]J  on  channel-fair  traces  to 
account  for  each  of  these  cases  as  well.  Suppose  that  we  have  a  parallel  command  ci||c2  in 
which  C2  has  terminated  in  its  local  state  5;  the  future  execution  of  C2  can  be  represented  by  the 
empty  trace  92  =  (e^,  (£2, 0,  (0),  f )),  for  any  set  £2.  If  the  future  execution  of  ci  is  represented 
by  the  trace  91  =  (a,  (£’i,l/i,£i,£i)),  then  the  parallel  command’s  future  execution  can  be 
represented  by  any  of  the  fair  traces  in  the  set 

91^92  =  {(a^8„  (F,!/!,  £F,^i))  I  ^  ^  ^1  U£2}. 

If,  instead  of  terminating  successfully,  C2  becomes  blocked  mod  £2  in  local  state  s,  then  its 
future  execution  can  be  represented  by  a  partial  trace  92  =  (e^,  (£2,0,  (£^),p))-  In  this  case. 
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again  letting  cpi  =  (a,  {Fi,Ui,Ei,Ri))  represent  the  future  execution  of  ci,  the  future  execution 
of  the  parallel  command  can  be  defined  as  follows: 

II  ^  f{(a^8„(F,t/i,£jF,p))|FDFiUF2},  ifi?i  e  {f,p}, 
\{(a^8„(F,t/i,£jF,i))  |FD(FiUF2)},  if =  i. 

We  therefore  define  the  set  one  C  x  x  whose  triples  reflect  transition  sequences 
made  when  only  one  component  remains  active,  as  follows: 

one  =  {((pi,(p2,(p),  (92,91,9)  l9i  =  (a,(Fi,t/i,£i,i?))  &92  =  (8„(F2,t/2,£2,i?))  & 

disjoint(a,5)  &  9  e  9i]j92}. 


We  then  define 

fairmerge  =  both^'  U  both*'  •  one. 

The  triple  (9, 9',  t|/)  is  in  both^'  if  and  only  if  the  traces  9,  9',  and  \j/  can  be  written  as 

(p  =  (po  •  9i  •  92  •  93  •  •  •  • ,  9'  =  9o  •  9'i  •  92  •  93  •  •  •  •  >  V  =  tl/o  •  •  tl/2  •  tl/3  •  •  •  • , 

such  that  each  cp,,  tp'  and  V|/,  is  finite,  and  each  \|/,  is  in  the  set  (9;]j9-  U  9(]j9;  U  9;  ||9i). 
Such  triples  represent  the  merging  of  two  infinite  traces.  Likewise,  the  triple  (tp,  (p',\|/)  is  in 
both*'  •  one  if  and  only  if  the  traces  9,  9',  and  V|/  can  be  written  as 

(p  =  (po  •  9i  •  92  •  93  •  •  •  •  9n,  9'  =  9o  •  9i  •  9r  93  •  •  •  •  9(;,  V  =  tl/o  •  Vi  •  ¥2  •  ¥3  •  •  •  •  •  ¥«, 

such  that  each  tp,,  tp-  and  ¥1  (for  i  <n)  is  a  nonempty  finite  trace,  each  ¥;  (for  i  <n)  is  a  member 
of  the  set  ((p/jj  tp  ■  U  9(^91  u  (p,  ||(p,),  at  least  one  of  (p„  and  9^,  has  form  (85.,  0),  and  ¥w  is  a 
member  of  the  set  ((p„]J(p^  U  (p^]J(p„).  These  triples  represent  the  merging  of  traces  when  at 
least  one  of  them  is  finite  or  partial. 

Finally,  we  define  channel-fair  parallel  composition  on  trace  sets  as 

Ti\\T2  =  {9  I  9i  e  Ti  &  (P2  e  r2  &  mergeable{i^i,i^2)  &  (9i,92,9)  e  fairmerge), 
so  that  ‘rc/,[[ci||c2l]  =  ‘2;/,[[ci]]||‘2;/,[[c2l]. 

We  summarize  the  preceding  discussion  by  giving  the  following  complete  denotational 
characterization  of  the  trace  semantics  %h.  This  characterization  of  the  semantics  %h  looks 
essentially  the  same  as  the  denotational  characterizations  of  the  various  strongly  fair  seman¬ 
tics  introduced  previously.  The  only  obvious  difference  is  the  inclusion  of  the  (trivial)  sets  of 
unused  channels  and  the  sequences  of  enabling  sets  for  skip,  assignment,  and  the  input  and 
output  guards.  The  real  differences  in  the  semantics  lie  in  the  new  interpretations  of  the  vari¬ 
ous  semantic  operators,  and  these  differences  reflect  only  the  more  complicated  bookkeeping 
necessary  for  modeling  channel  fairness. 
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Definition  5.4.1  The  channel-fair  trace  semantic  function  %h  :  Com  ^  7{^ch)  is  defined  by: 


‘^'/ittskipU 


%hic\\C2}i 
b  then  ci  else  C2]] 
‘2^./,[[while  b  do  c]] 

%hihn 


%h[[h\e\] 

%hig^4 

%hlgc\  □^C2l] 
%hlc\H 

%h^Cl\\c2^ 


=  {((5, 8, 5),  (F,0,  (0,0),f ))  \seS&Fe  Tfin(A)} 

U  {(8„(F,0,(0),p))|5e5&FD{8}} 

=  =  (0,0),f))  I 

i  e  dom(5')  &  F  e  CPfin(A)  &  {s,n)  e  £[1^]]} 

U  {(8„(F,0,(0),p))  I  dom(5)  D  {/}UfvH  &  F  D  {e}} 

=  %hlci]\;%hlc2l, 

=  %hlbl%hlci}U%hhbl%hlc2} 

=  {{{s,hln,[s\i  =  n]),{F,d,{{hl},&),f  ))  \ 

i  e  dom(5')  &  n  e  "L  &  F  e  CPfin(A)} 

U  {(8„  (F,0,  ({/*?}), p))  I  i  e  dom(5)  &FD  {hi}} 

=  {((5,fi!n,5),(F,0,  ({fi!},0),f))  I  {s,n)  G  'EM  &  F  e  J’fin(A)} 

U  {(8„(F,0,({fi!}),p))  I  fvH  C  dom(5)  &  FD  {fi!}} 

=  %hlgl%hlcl 
=  %hlgci]]D%hUc2} 

=  %hlc]]\h 

=  'rc4ci]]||T;,[[c2]]. 
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The  following  two  examples  illustrate  how  the  strongly  channel-fair  semantics  %h  can  be 
used  to  reason  about  the  channel-fair  behavior  of  programs. 

Example  5.4.2  Recall  the  following  processes  introduced  in  Figure  2.9,  where  we  assumed 
that  communication  occurred  only  when  all  processes  were  inside  their  loops: 

P  =  while  (x  7^  0)  do  (a!0  ^  x:=0  □  b!l  ^  skip), 

Q  =  n:=l;  while  (w  7^  0)  do  (a?w  ^  c!w  □  c!n  ^  n:=n -h  1), 

R  =  while  (v  7^  0)  do  (c?v  ^  skip  □  b?v  ^  skip). 

Using  the  trace  semantics  %h,  we  illustrate  why  this  assumption  was  necessary  for  proving 
termination  of  the  program  (P||2||R)\a\b\c  under  strong  channel  fairness.  In  particular,  we 
now  show  that  the  program  cannot  be  guaranteed  to  terminate  under  strong  channel  fairness 
without  this  assumption. 

contains  an  infinite  trace  of  form 

(a,(0,{a},(0,{a!,b!},0)“  i)), 
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where  a  involves  only  8-transitions  and  output  actions  on  channel  b.  Similarly,  “III/,  [[2]]  contains 
an  infinite  trace  of  form 

((3,(0,{a},(0)(0,{a!,c!},0)“  i)), 

where  (3  involves  only  8-transitions  and  output  actions  on  channel  c.  As  a  result,  ‘2^/;[lP||2l]  has 
an  infinite  trace  with  form 

(y,(0,{a},W£,i)>, 

where  yis  an  interleaving  merge  of  a  and  (3  and  £  =  (0,  {a!,b!},0,0,  {a!,c!},0)“  is  an  inter¬ 
leaving  of  the  sequences  (0,  {a!,  b!},  0)“  and  (0,  {a !,  c!},  0)“.  In  this  trace,  synchronization  on 
channel  a  is  never  enabled,  because  the  commands  P  and  Q  are  never  inside  their  loops  at  the 
same  time;  despite  the  infinite  occurrences  of  a!  and  a?  along  £,  the  channel  a  does  not  occur 
along  £. 

To  wrap  up  the  details,  has  a  trace  with  form  (Y,  (0, 0,  £',  i))  in  which  Y  alternates 

b?l  actions  with  c?n  actions.  Therefore,  there  is  a  trace  of  with  form 

(C,  (0,{a},£",i)), 

where  £"  is  an  interleaving  of  £  and  £'  and  ^  is  a  trace  in  which  each  communication  of  y  is 
synchronized  with  a  communication  of  Y-  Because  neither  a!  nor  a?  can  possibly  occur  along 
£',  the  channel  a  does  not  appear  along  £".  It  follows  that  there  is  an  infinite  trace  with  form 
(^,  (0,0,  (0)“,  i))  in  ‘2;l/,[[(P||2||i?)\a\b\c]],  corresponding  to  a  nonterminating,  channel-fair 
computation  of  the  program  (P||2||P)\a\b\c.  o 

In  the  following  example,  we  modify  the  previous  example  to  ensure  termination  under 
strong  channel  fairness.  Essential  to  proving  termination  is  the  introduction  of  additional  com¬ 
munications  that  keep  the  processes  synchronized  with  one  another:  communications  on  chan¬ 
nels  a,  b  and  c  can  occur  only  when  all  three  processes  are  inside  their  loops. 

Example  5.4.3  Consider  the  following  processes  P',  Q'  and  R' ,  which  are  revised  versions  of 
the  processes  P,  Q,  and  R  (respectively)  of  the  previous  example: 

P'  =  while  (x  Y  0)  do 

syndl  ^  (a!0  ^  x:=0  □  b!l  ^  e!l  ^  skip  □  e?x  ^  skip), 

Q'  =  n:=l; 

while  (w  Y  0)  do 

sync?w  ^  sync?w  ^  (a?w  ^  c!w  □  c!n  ^  e!l  ^  n:=n  -|-  1  □  e?w  ^  skip), 

R'  =  while  (v  7^  0)  do  syndl  ^  (c?v  ^  skip  □  b?v  ^  skip). 

We  use  the  trace  semantics  %h  to  prove  that  the  program  (/’'||2'||i?')\sync\e\a\b\c  always 
terminates  under  strong  channel  fairness. 
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Let  C  abbreviate  the  program  (P'||2'||i?')\sync\e.  The  only  infinite  computations  of  C  are 
those  in  which  each  of  P' ,  Q'  and  R'  make  infinite  progress:  the  need  to  synchronize  on  channel 
sync  prevents  two  processes  from  conspiring  against  the  third.  Moreover,  in  any  such  infinite 
computation,  synchronization  on  the  channel  a  is  enabled  infinitely  often.  Therefore,  every 
infinite  trace  of  C  has  form  (a,  (P,  t/,  £,  i)),  where  the  channel  a  is  in  the  set  iyj£.  (That  is, 

the  channel  a,  in  addition  to  the  directions  a!  and  a?,  appears  in  infinitely  many  sets  along  the 
sequence  £.)  As  a  result,  the  only  possible  infinite  traces  in  C\a  have  form 

(a,  (P',t/\a,£\a,i)), 


where  F'  ^  P\a. 

However,  every  infinite  trace  of  P'  has  form  ((3,  (Pp,  t/p,  £p,  i)),  where  (3  involves  no  com¬ 
munications  on  channel  a  and  a  is  in  Up.  Therefore,  a  must  also  be  in  t/,  and  hence  the  traces  of 
‘2^./,[[C]]  with  form  (a,  (P,  P,  £,  i))  (that  is,  all  the  infinite  traces)  must  be  discarded  in  creating 
the  set  ‘2|l/,[[C\a]].  It  follows  that  there  are  no  infinite  traces  in  the  set  ‘2^/,[[C\a]],  and  therefore 
no  infinite  traces  in  the  set  ‘2|l/,[[C\a\b\c]]  =  ‘2|l/,[[(P'||2'||P')\sync\e\a\b\c]]. 

A  similar  analysis  shows  that  deadlock  of  the  program  is  impossible,  and  hence  the  program 
must  always  terminate  successfully.  o 


5.5  Lack  of  Full  Abstraction 


The  semantics  %h  is  sound  with  respect  to  all  of  the  (channel-fair  equivalents  of  the)  behaviors 
introduced  in  Chapter  4,  but  it  is  fully  abstract  with  respect  to  none  of  them.  Of  course,  this 
is  not  surprising:  the  strongly  fair  semantics  %  required  the  addition  of  closure  conditions  to 
yield  full  abstraction. 

Some  of  the  inappropriate  distinctions  made  by  %h  can  indeed  be  eliminated  by  the  simple 
introduction  of  closure  conditions.  For  example,  recall  the  commands  Ci  and  C2  that  led  us  to 
introduce  union  and  superset  closure  conditions  for  strong  fairness: 

Cl  =  (a!0^  b!0)n(a!0^c!0), 

C2  =  (a!0^b!0)n(a!0^c!0)n(a!0^(b!0nc!0)). 

These  commands  have  different  trace  sets  and  yet  are  indistinguishable  in  all  program  contexts, 
even  under  channel  fairness.  Introducing  union  and  superset  conditions  suited  to  channel-fair 
traces  can  eliminate  the  distinction  between  Ci  and  C2. 
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However,  other  inappropriate  distinetions  eannot  be  remedied  so  easily.  For  instanee,  eon- 
sider  the  following  two  eommands: 

C3  =  a!0^((b!0^  while  true  do  a!0)  □  (c!0  ^  skip)) 

□  a!0  ^  (b!0  ^  skip  □  dlO^skip), 

C4  =  C3  □  a!0  ^  ((b!0  ^  while  true  do  a!0)  □  (dlO^skip)). 

Let  a  be  the  simple  traee  (5,a!0,  j')(5,b!0,5)[(5,8,5)(5,a!0,5)]“,  and  let  £  be  the  infinite  se- 
quenee  (0,  {a!})“.  The  infinite  traee  93  =  (a,  (0,  ({a!},  {b!,c!})£,  i))  is  possible  for  both  C3 
and  C4,  whereas  the  infinite  traee  94  =  (a,  (0,  ({a!},  {b!,d!})£,  i))  is  possible  only  for  C4. 
These  two  traees  differ  in  the  sets  of  direetions  enabled  on  their  seeond  steps.  Despite  this 
differenee,  the  eommands  C3  and  C4  exhibit  the  same  behaviors  in  all  program  eontexts.  In 
essenee,  the  traees  93  and  94  are  indistinguishable  from  the  standpoint  of  strong-ehannel  fair¬ 
ness,  because  they  share  the  same  infinite  suffix  of  enabling  sets:  after  some  finite  period  of 
time,  both  enable  the  same  communications  on  precisely  the  same  steps. 

In  general,  eliminating  this  type  of  distinction  requires  a  more  direct  approach  than  closure 
conditions  provide:  every  pair  of  congruent  (i.e.,  sharing  the  same  simple  trace  component  and 
fairness  sets  F  and  U)  traces  that  also  share  an  infinite  suffix  of  enabling  sequences  must  be 
considered  equivalent.  Formalizing  such  relationships  requires  the  introduction  of  an  equiv¬ 
alence  relation  on  traces  that  identifies  exactly  such  pairs,  followed  by  the  imposition  of  a 
quotient  structure  on  trace  sets  based  on  this  equivalence  relation.  It  seems  likely  that  such 
an  approach  would  yield  a  fully  abstract  channel-fair  semantics.  However,  it  is  unclear  that 
these  technical  contortions  would  would  provide  significantly  (if  any)  more  insight  than  the 
semantics  %h  already  provides. 

The  difficulty  in  achieving  fully  abstraction  (and  the  expected  complexity  of  such  a  model) 
should  not  be  construed  automatically  as  an  indictment  of  the  general  trace  framework.  Rather, 
they  reflect  the  inherent  complexity  that  underlies  the  notion  of  strong  channel  fairness.  Strong 
channel  fairness  is  not  equivalence  robust  [AFK88],  in  that  the  specific  order  in  which  inde¬ 
pendent  actions  occur  affects  the  fairness  of  a  given  computation.  For  example,  recall  Exam¬ 
ples  5.2.2  and  5.2.3:  the  order  in  which  the  computations  pi  and  P2  are  interleaved  affects 
the  channel  fairness  of  the  resulting  computation.  Because  channel-fairness  depends  on  the 
order  in  which  actions  are  enabled  and  occur,  any  semantics  that  incorporates  assumptions  of 
channel-fairness  must  account  for  this  dependence  in  some  way.  It  should  not  be  surprising 
that  the  resulting  semantics  is  complex  when  the  underlying  notion  of  fairness  is  as  well. 

The  lack  of  full  abstraction  should  also  not  be  interpreted  as  a  condemnation  of  the  se¬ 
mantics  %h.  Full  abstraction  is  an  ideal  that  is  not  always  easily  achievable,  and  it  is  well 
known  that  certain  notions  of  behavior  for  certain  languages  do  not  admit  fully  abstract  mod¬ 
els  [Mil77,  AP86,  Sto88].  Moreover,  the  semantics  %h  still  supports  compositional  reasoning 
about  strongly  channel-fair  behavior,  and  its  soundness  for  several  behavioral  notions  still  pro¬ 
vides  useful,  if  incomplete,  information  about  program  equivalence  and  substitutability:  two 
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Ci|c2  =  C2 

Cl 

(C1||C2)||C3  =  Cl  1 

1  (C2IIC3) 

(ci|c2)\fi  =  Cl  1 

{c2\h),  provided  h  ^  fc[[ci]] 

III 

provided  h  ^  fc[[c]] 

(a!0^  b!0)  □  (b!0^a!0)  =  a!0 

II  b!0 

Figure  5.2:  Some  program  equivalences  validated  by 


program  terms  are  guaranteed  to  behave  equivalently  whenever  gives  them  identical  mean¬ 
ings.  For  example,  the  soundness  of  %h  is  sufficient  for  validating  the  program  equivalences 
(with  respect  to  any  of  the  channel-fair  equivalents  of  the  behaviors  9v[,  S,  ‘iF  or  C)  of  Fig¬ 
ure  5.2,  properties  which  also  hold  under  strong-fairness  assumptions. 


Chapter  6 

Weak  Process  Fairness 


This  chapter  focuses  on  weak  process  fairness,  which  requires  every  continuously  enabled  pro¬ 
cess  to  make  progress.  The  assumption  of  weak  fairness  is  weaker  (and  therefore  more  general) 
than  strong  fairness.  Perhaps  ironically,  then,  incorporating  weak-fairness  assumptions  into  a 
semantics  for  communicating  processes  is  more  complicated  than  incorporating  strong-fairness 
assumptions.  In  particular,  the  task  of  determining  which  processes  are  enabled  continuously 
requires  significantly  more  structure  than  determining  which  processes  are  enabled  infinitely 
often  does:  not  only  can  a  process  be  enabled  continuously  along  a  computation  of  ci||c2 
without  being  enabled  continuously  along  either  component’s  subcomputation,  but  it  can  be 
enabled  continuously  without  any  one  of  its  possible  actions  being  enabled  continuously. 

In  this  chapter,  we  show  how  to  adapt  the  trace  framework  to  incorporate  assumptions  of 
weak  process  fairness.  We  discuss  why  weak  fairness  is  harder  to  model  than  strong  fairness, 
and  we  indicate  what  type  of  additional  semantic  structure  weak  fairness  requires.  Based  on 
these  observations,  we  introduce  a  parameterized  form  of  weak  fairness  that  is  based  on  param¬ 
eterized  strong  fairness  but  tailored  for  reasoning  about  the  continuous  enabling  of  processes. 
This  parameterization  guides  our  construction  of  a  weakly  fair  trace  semantics  that  is  strikingly 
similar  to  the  channel-fair  semantics  of  Chapter  5. 


6.1  Parameterized  Weak  Fairness 

In  Section  3.1,  we  introduced  the  notion  of  parameterized  strong  process  fairness  to  permit  a 
compositional  characterization  of  strongly  fair  computation.  Roughly  speaking,  we  tag  “al¬ 
most  strongly  fair”  computations  with  sets  of  directions  that  represent  the  actions  possible  for 
those  processes  that  are  treated  unfairly.  These  sets  do  not  distinguish  between  the  actions  pos¬ 
sible  for  a  single  process  and  the  actions  possible  for  a  collection  of  processes,  because  such 
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distinctions  are  irrelevant  for  strong  fairness.  A  process  Pi  having  the  set  of  enabled  directions 
Ei  is  enabled  infinitely  along  a  given  computation  if  and  only  if  some  element  of  Ei  is  enabled 
infinitely  often.  Similarly,  some  member  of  the  collection  of  processes  {Pi, . . .  ,Pfc}  is  enabled 
for  communication  infinitely  often  along  a  given  computation  if  and  only  if  some  direction  in 
one  of  the  sets  in  {Pi , . . .  ,  P/t}  is  enabled  infinitely  often.  Thus,  for  example,  the  single  process 

2i  =a!0^  b!0  □  b!0^a!0 

has  precisely  the  same  set  of  fairness  constraints  as  the  parallel  command 

e2  =  (a!0  II  b!0); 

each  Qi  is  enabled  for  synchronization  infinitely  often  along  a  computation  of  Qi\\C  (for  any 
command  C)  if  and  only  if  C  enables  input  on  channel  a  or  b  infinitely  often. 

The  situation  changes,  however,  when  we  consider  the  continuous  enabling  of  directions 
and  processes.  The  process  P,  can  be  enabled  continuously  along  a  computation  without  any 
particular  element  of  Ei  being  enabled  for  synchronization  continuously.  For  example,  consider 
the  command 


C  =  (while  true  do  (a?xnc!l))  ||  (while  true  do  (b?ync!2)), 

and  let  p  be  a  computation  of  C  such  that  (1)  both  parallel  subcomponents  repeatedly  perform 
output  on  channel  c;  and  (2)  at  any  time  after  the  initial  step,  at  least  one  of  the  components  is 
inside  its  loop.  Along  this  computation  p,  the  directions  a?  and  b?  are  each  enabled  infinitely 
often  and  disabled  infinitely  often;  moreover,  at  any  time  after  the  first  step,  at  least  one  of  the 
directions  a?  and  b?  is  enabled. 

Because  the  single  process  Qi  can  perform  output  on  either  channel  a  or  channel  b,  it  is 
enabled  continuously  in  any  computation  of  (2i||C)\a\b  in  which  C  performs  the  transition 
sequence  p.  As  a  result,  in  any  weakly  fair  computation  of  (2i||C)\a\b,  C  must  eventually 
deviate  from  the  transition  sequence  p.  In  contrast,  there  are  weakly  fair  computations  of 
(22||C')\a\b  in  which  C  performs  the  transitions  p:  Q2  contains  two  processes,  neither  of  which 
is  enabled  continuously  by  p.  Whereas  the  commands  Qi  and  Q2  have  identical  behaviors 
under  strong  fairness,  they  can  exhibit  different  behaviors  under  weak  fairness.  For  this  reason, 
parameterized  weak  fairness — unlike  parameterized  strong  fairness — must  distinguish  between 
the  actions  possible  for  a  single  process  and  the  actions  possible  for  a  collection  of  processes. 

To  this  end,  we  tag  “almost  weakly  fair”  computations  with  a  set  T  of  sets  of  directions, 
each  set  F  e  T  intuitively  indicating  that  one  or  more  subprocesses  are  blocked  modulo  E.  For 
example,  we  use  the  set 


9^1  =  {{a!,  b!}} 
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initsets(skip,  5) 

=  {{£}} 

initsets(/:=e,  5) 

=  {{£}} 

initsets(if  b  then  ci  else  C2,5') 

=  {{£}} 

initsets(while  b  do  c,  s) 

=  {{£}} 

initsets(ci;c2,s) 

=  initsets(ci,  5) 

initsets(h?i,s) 

=  m}} 

initsets(hle,s) 

= 

initsets(g  ^  c,5) 

=  initsets(g,  5) 

initsets(gci  □gC2,5') 

=  {X1UX2  \  Xi  e  initsets(gci,5)  &X2  G  initsets(gC2,5)} 

initsets(ci  1  C2,5) 

=  initsets(ci,5)  U  initsets(c2,5) 

U  {{e}  match(initsets(ci, 5), initsets(c2,5'))} 

initsets(c\fi,5) 

=  {F  — Feinitsets(c,5)} 

Figure  6.1:  The  definition  initsets(c,5). 


to  tag  computations  in  which  one  or  more  subprocesses  are  blocked  modulo  {a ! ,  b ! } ;  the  partial 
computation  {Q\^s)  can  be  tagged  by  Ti.  In  contrast,  we  use  the  set 

T2  =  {{a!},{b!}} 

to  tag  computations  in  which  one  or  more  processes  are  blocked  modulo  {a!}  and  one  or  more 
processes  are  blocked  modulo  {b!};  the  partial  computation  {Qi^s)  can  be  tagged  by  T'2- 

The  set  inits(c,5),  introduced  in  Section  2.1,  is  the  set  of  directions  (possibly  including  8) 
corresponding  to  the  possible  transitions  from  configuration  (c,  s).  We  can  likewise  define  a  set 
initsets(c,  s)  that  contains  sets  of  directions  (possibly  including  {e}),  with  the  intuition  that  each 
set  reflects  the  transitions  possible  for  one  (or  more)  or  c’s  subprocesses  from  the  configuration 
(c,s).  A  structurally  inductive  definition  of  the  set  initsets(c,5)  appears  in  Figure  6.1.^  When 
the  command  c  has  only  one  associated  process,  initsets(c,5)  is  necessarily  a  singleton  set; 
in  particular,  the  set  initsets(gci  □gC2,5)  is  a  singleton  set  whose  only  element  may  contain 
several  directions.  This  definition  provides  a  way  to  distinguish  the  commands  Qi  and  Q2  as 
required:  for  all  states  5,  initsets(2i, 5)  =  {{a!,  b!}},  whereas  initsets(22,5)  = 

Finally,  we  note  that  different  sets  may  represent  the  same  weak-fairness  constraints.  For 
example,  consider  the  sets  Ti  =  {{a!, b!}, {a!}}  and  T'2  =  {{a!,b!}}.  Both  sets  represent 

^This  inductive  definition  relies  on  the  obvious  extension  of  the  predicate  match  to  sets  of  sets  of  directions: 
for  such  sets  Xi  and  X2,  the  predicate  match(Xi,X2)  is  true  if  and  only  if  there  exists  sets  €  Xi  and  X2  G  X2 
such  that  match(Xi,X2). 
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identical  constraints:  each  will  be  enabled  for  synchronization  continuously  along  any  com¬ 
putation  that  enables  the  set  {a!,  b!}  continuously.  In  effect,  the  possibilities  inherent  in  the 
set  {a!}  are  subsumed  by  the  set  {a!,b!}:  any  computation  that  provides  the  set  {a!}  with 
continuous  synchronization  opportunities  necessarily  provides  the  set  {a!,  b!}  with  continuous 
synchronization  opportunities.  We  use  downwards  closure  to  yield  canonical  representations 
of  the  fairness  constraints. 

Definition  6.1.1  Let  IL  be  a  member  of  CPfin(J’fin(A)).  The  downwards  closure  of  T,  written 
T 4,,  is  the  set  of  all  subsets  of  members  of  T:  T'4,=  (F' |  3F  e  T.F' C  F}.  o 

Intuitively,  the  sets  and  T'2  represent  identical  weak-faimess  constraints  whenever  Ti  1= 

9^2;. 

Definition  6.1.2  Let  Tbe  a  member  of  CPfin(9’fin(A) ) .  A  configuration  (c,  s)  is  blocked  modulo 
T  if  initsets(c,  5)  —  T'4,=  0,  and  it  is  enabled  modulo  T  otherwise.  o 

Thus  a  configuration  is  blocked  modulo  T  if  each  of  its  subprocesses  is  blocked  mod  F  for 
some  F  e  TJ,. 

Example  6.1.3  Recall  the  commands  Qi  =  a!0  ^  b!0nb!0  ^  a!0  and  Q2  =  (a!0  |]  b!0),  with 
the  sets  of  enabled  communications 

initsets(2i,5)  =  {{a!,b!}},  initsets(22,5)  = 

The  configurations  (Qi,s}  and  {Qi^s)  are  both  blocked  modulo  {{a!,  b!}},  because  (for  each/) 

initsets(a-,5)  C  {{a!,b!}};=  (0,  {a!},  {b!},  {a!,  b!}}. 

However,  only  the  configuration  (225'^)  is  blocked  modulo  {{a!},{b!}}: 

initsets(22,5)  —  {{a!},  {b!}}4.=  0,  whereas  (a!,  b!}  e  initsets(2i,5)  —  {{a!},  {b!}}), . 


o 

We  can  now  give  a  parameterized  notion  of  weak  fairness  that  mimics  the  parameterization 
of  strong  fairness  in  Section  3.1  but  also  accounts  for  the  additional  structure  of  the  fairness 
sets  T.  A  computation  is  weakly  fair  (in  the  standard  sense)  if  and  only  if  it  is  weakly  fair 
modulo  0. 

Definition  6.1.4  Let  T  be  a  member  of  CPfin(9’fin(A)).  A  computation  p  of  the  command  c  is 
weakly  fair  modulo  T  provided  p  satisfies  one  of  the  following  conditions: 

•  p  is  a  finite,  successfully  terminating  computation; 
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•  p  is  a  partial  computation  whose  final  configuration  is  blocked  modulo  5"; 

•  p  is  an  infinite  computation,  c  has  form  (ci;c2)  or  (if  b  then  ci  else  C2),  and  the  underly¬ 
ing  infinite  computation  of  ci  or  C2  is  weakly  fair  mod  5"; 

•  p  is  an  infinite  eomputation,  c  has  form  (while  b  do  c')  or  {g  c'),  and  all  underlying 
computations  of  c'  are  weakly  fair  mod  5"; 

•  p  is  an  infinite  computation,  c  has  form  (gci  □gC2),  and  the  underlying  computation  of 
the  seleeted  gci  is  weakly  fair  mod  5"; 

•  p  is  an  infinite  computation,  c  has  form  c'\h,  and  p’s  underlying  computation  of  c'  is 
weakly  fair  modulo  {F  U  {h\,hl}  \  F  e  J"}; 

•  p  is  an  infinite  computation,  c  has  form  ci  ||c2,  and  there  exist  sets  and  3^2,  and  com¬ 
putations  Pi  of  Cl  and  P2  of  C2,  such  that: 

-  Pi  is  weakly  fair  mod  S^i  and  P2  is  weakly  fair  mod  3^2, 

-  p  can  be  obtained  by  merging  and  synchronizing  pi  and  P2, 

-  9^;^  (3^1  U  9^2);,  and 

-  no  subcomponent  of  ci  or  C2  that  fails  to  make  infinite  progress  is  enabled  for 

synchronization  almost  everywhere  along  p.  o 

The  final  condition  in  the  parallel-composition  clause  ensures  that  no  process  that  becomes 
blocked  modulo  T  continuously  has  some  opportunity  to  synchronize.  Unlike  the  parallel- 
composition  clause  for  parameterized  strong  fairness,  ci’s  constraints  do  not  depend  solely  on 
P2  (and  likewise  for  C2  and  pi):  a  (sub)process  can  be  enabled  for  synchronization  continuously 
along  the  computation  p  without  being  enabled  for  synchronization  continuously  along  either 
Pi  or  P2.  For  example,  consider  the  commands 

Cl  =  a?x  II  while  true  do  (allDbll),  C2  =  while  true  do  (a!2nb!2). 

Suppose  that  pi  is  an  infinite,  weakly  fair  mod  {{a?}}  computation  of  Ci  in  which  the  process 
a?x  makes  no  progress,  and  let  p2  be  a  weakly  fair  computation  of  C2.  The  process  a?x  is 
enabled  for  synchronization  infinitely  often — but  not  continuously — along  each  of  the  compu¬ 
tations  Pi  and  P2.  However,  the  computations  pi  and  p2  can  be  interleaved  to  yield  a  computa¬ 
tion  p  of  Cl  IIC2  in  such  a  way  that  the  process  a?x  is  enabled  for  synchronization  continuously 
along  p.  As  a  result,  it  is  often  necessary  to  look  at  the  resulting  computation  of  the  parallel 
command  to  determine  whether  any  blocked  processes  are  actually  enabled  continuously.  We 
explore  this  situation  in  more  detail  in  the  following  examples. 
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Example  6.1.5  Let  Ci  and  C2  be  the  eommands  of  the  preeeding  diseussion: 

Cl  =  a?x  II  while  true  do  (allDbll),  C2  =  while  true  do  (a!2nb!2). 

For  notational  expedieney,  we  let  C  abbreviate  the  eommand  while  true  do  (all □  b!l),  so  that 
Cl  =a?x  II  C. 

1 .  Let  p  1  be  the  following  infinite  eomputation 

pi  =  (a?x  II  C,  5)  ^  (a?x  II  (a!inb!l);C,5) 

(a?x  II  C,  s)  — ^  •  •  • 

in  whieh  the  proeess  a?x  never  makes  a  transmission  and  the  value  1  is  repeatedly  trans¬ 
mitted  along  ehannel  b. 

The  eomputation  pi  is  weakly  fair  modulo  {{a?}}:  the  only  eontinually  enabled  pro¬ 
eess  that  does  not  make  progress  is  bloeked  modulo  {{a?}},  and  it  is  not  enabled  for 
synehronization  eontinuously. 

2.  Let  P2  be  the  infinite  eomputation 

P2=(C2,  0  ^  ((a!2nb!2);C2,  0 


that  repeatedly  transmits  the  value  2  along  ehannel  b.  The  computation  p2  is  weakly  fair 
modulo  0. 

3.  Let  p  be  the  following  interleaving  of  pi  and  P2  in  which  every  transition  of  Ci  is  fol¬ 
lowed  by  a  transition  of  C2  and  vice  versa: 

p=  (a?x  II  C||C2,  5Ut)  ^  (a?x  II  (a!inb!l);C  II  C2,5U0 

^  (a?x  II  (a!inb!l);C  ||  (a!2nb!2);C2,5 Ut) 

^  (a?x  II  C  II  (a!2nb!2);C2,5U0 
^  (a?x  II  C  II  C2,5U0  ^ 

The  computation  p  is  weakly  fair  mod  {{a?}},  because  the  process  a?x  never  becomes 
enabled  for  synchronization  continuously  along  p.  In  particular,  a?x  is  disabled  for  syn¬ 
chronization  at  every  configuration  (a?x  ||  C||C2,  sUt). 
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4.  The  corresponding  computation  of  (Ci||C2)\a  in  which  the  process  a?x  never  makes  a 
transition  is  weakly  fair  modulo  0.  o 


The  following  example,  taken  together  with  the  preceding  one,  shows  how  the  order  in 
which  independent  actions  occur  can  affect  the  weak  fairness  of  a  computation. 


Example  6.1.6  Let  the  commands  Ci  and  C2,  and  the  computations  pi  and  p2,  be  as  defined 
in  the  preceding  example,  and  let  p'  be  the  following  interleaving  of  pi  and  P2: 


p'=  (a?x||C||C2,  sUt) 


b!l 

- )• 

e 

- )• 

b!2 
- )• 

e 

- )• 

e 


(a?x 

(a 

inb!l);C  1 

C2,5'U 

0 

(a?x 

(a 

inb!l);C  1 

(a!2n 

b!2);C2,5 

Ut) 

(a?x 

C 

1  (a!2nb!2) 

;C2,sU 

t) 

(a?x 

(a 

inb!l);C  1 

(a!2n 

b!2);C2,5 

Ut) 

(a?x 

(a 

inb!l);C  1 

\C2,sU 

0 

(a?x 

(a 

inb!l);C  1 

(a!2n 

b!2);C2,5 

ut) 

In  this  computation,  from  the  second  configuration  onward,  at  least  one  of  C  and  C2  is  always 
inside  its  loop.  As  a  result,  the  process  a?x  is  enabled  for  synchronization  continuously,  and  the 
computation  p'  is  not  weakly  fair  modulo  {{a?}}.  As  a  result,  the  corresponding  computation 
of  (Cl  ||C2)\a  is  not  weakly  fair.  o 

The  following  example  shows  that,  under  weak  fairness,  a  process  can  block  on  a  commu¬ 
nication,  even  though  that  same  channel  is  used  for  synchronization  infinitely  often  by  other 
processes. 

Example  6.1.7  Let  Pi  and  P2  be  the  following  processes: 

Pi  =  while  true  do  (b?xna!l),  P2  =  while  true  do  (b?yna!2nb!2). 

1 .  The  infinite  computation 

Pl=  ((b!0||Pi),[x  =  2]>  ^  ((b!0||  (b?xna!l);Pi),[x=2]) 

((b!0||P,),[x  =  2]> 

£  ^ 

that  repeatedly  receives  the  value  2  on  channel  b  and  never  performs  the  action  b!0  is 
weakly  fair  modulo  {{b!}}. 
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2.  The  infinite  computation 


P2=  (/’2,[y  =  i]) 


((b?yna!2nb!2);P2,[y=l]) 
(^2,[y  =  i]) 


that  repeatedly  transmits  the  value  2  on  channel  b  is  weakly  fair  modulo  0. 

3.  Let  s  represent  the  state  [x  =  2,  y  =  1],  and  let  p  be  the  following  computation,  which  can 
be  obtained  by  interleaving  and  merging  pi  and  P2: 

((b!0  II  (b?xna!l);Pi)  11^2,^) 

((b!0  II  (b?xna!l);Pi)  ||  (b?yna!2nb!2);P2,5) 
((b!0||Pi)  II  P2,^) 

The  computation  p  is  weakly  fair  modulo  {{b!}}:  although  the  process  b!0  is  enabled 
for  synchronization  infinitely  often,  it  is  not  enabled  for  synchronization  continuously. 
In  particular,  the  computation  is  weakly  fair  modulo  {{b!}}  despite  the  infinite  use  of 
channel  b  for  synchronization  between  Pi  and  P2. 

4.  It  follows  that  the  corresponding  computation  of  ((b!0  ||  Pi)  ||  P2)\b  is  weakly  fair.  o 


((b!0||P,)||P2,i) 


6.2  Weakly  Fair  Traces 

The  definition  of  parameterized  weak  fairness,  combined  with  the  experience  of  defining  strongly 
fair  and  channel-fair  traces,  guides  us  in  the  construction  of  appropriate  weakly  fair  traces. 
First,  we  need  sets  T  of  sets  of  directions  to  represent  the  process  constraints,  because  a  pro¬ 
cess  can  be  enabled  continuously  without  any  particular  action  being  enabled  continuously. 
Second,  we  need  to  record  the  directions  enabled  at  each  step  along  a  computation,  because 
directions  can  be  enabled  continuously  along  a  computation  of  a  parallel  command  without 
being  enabled  continuously  by  any  individual  component. 

We  therefore  define  the  set  of  weakly  fair  traces  by 

Tfin(Tfin(A+))  X  (Tfin(AuChan))“"x  {f,i,p}. 

Intuitively,  the  weakly  fair  trace  (a,  (?',£, f))  represents  a  (necessarily  weakly  fair)  success¬ 
fully  terminating  computation  having  the  finite  sequence  £  of  enabling  sets.  Similarly,  the 
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weakly  fair  trace  (a,  (5",  £,  i))  represents  an  infinite,  weakly  fair  mod  H  computation  having 
the  infinite  sequence  £  of  enabling  sets.  Finally,  the  weakly  fair  trace  (a,  (fF,  £,p))  represents 
a  partial  computation  such  that  fF  D  initsets(cyt,5/t),  where  {ck,Sk)  is  the  final  configuration  of 
p;  £  again  represents  the  sequence  of  enabling  sets  encountered  along  the  computation. 

We  characterize  a  weakly  fair  trace  semantics  %, :  Com  ^  operationally  as  follows: 

=  {(ti'ace(p),(g",En(p),f))  I 


p  = 

(C,50) 

^0^ 

(Cl,5l) 

^1^  . 

(cfc,5fe)term 

is  weakly  fair  mod  fF} 

{(trace(p),(T,En(p),p)) 

fFJ,^  initsets(cyt, 

,Sk)  & 

P  = 

(C,50) 

^0^ 

(Cl,5l) 

{Ck,Sk)  &  -■ 

(c^,5fe)term} 

{(trace(p),(T,En(p),i)) 

P  = 

(c,5o) 

^0^ 

(Cl,5l) 

^1  ^  ^ 

•  •  •  is  weakly  fair  mod  fF}. 

6.3  Weakly  Fair  Trace  Semantics 

The  denotational  characterization  of  the  weakly  fair  trace  semantics  is  very  similar  to  that 
for  the  channel-fair  trace  semantics  %h.  In  fact,  many  of  the  semantic  operators  are  simpler 
for  weakly  fair  trace  sets:  we  no  longer  have  to  keep  track  of  insufficiently  used  channels,  and 
the  sets  fF  of  sets  can  be  manipulated  in  pretty  much  the  same  way  as  sets  F  of  directions.  As 
a  result,  almost  all  the  explanations  that  accompany  the  semantic  definitions  in  this  section  are 
abbreviated  forms  of  those  encountered  in  Chapter  5. 

We  first  introduce  a  semantic  function  %, :  BExp  ^  such  that 

=  {((^,8,5),(fF,(0,0),f))  I  (5,tt)  e  nb]]  &3^e  yfin(yfin(A))} 
u{(8„(T,(0),p))  I  (5,tt)  e  {{8}}}. 

As  in  the  earlier  semantics,  each  finite  trace  in  represents  a  transition  made  in  the  eval¬ 
uation  of  the  boolean  expression  b. 

Based  on  the  operational  characterization  of  %v,  it  should  be  easy  to  see  that 
%isk\p}  =  {((5, 8, 5),  (T,  (0,0),f))  \seS&3^e  yfin(yfin(A))} 

u  {(8„(T,(0),p))|5e5&n^{{8}}} 


and 

=  {((5,8,[5|/  =  n]),(T,  (0,0), f))  |  i  e  dom(5)  &  Te  J’fin(J’fin(A))  &  {s,n)  e  EW} 
U  {(8„(T,(0),p))  I  fvp:=e]]  C  dom(5)  {{e}}}. 
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Similarly,  for  guards  we  obtain 

=  {{{s,hln,  [5|/  =  ))  I  i  e  dom(5)  &neZ&3^e  yfin(yfin(A))} 

u  {(8„  (9^,  ({/*?}),?))  I  /  e  dom{s)  &  {{hi}}} 


and 

%lh\e}  =  {{{s,h\n,s),  (9^,  ({/*!}, 0),f))  |  {s,n)  e  EW  &  9^  e  Tfin(yfin(A))} 
u  {(8^,  (J",  ({/?!}), p))  I  fv[Ie]]  C  dom(5)  &  {{/?!}}}• 

Note  the  use  of  downwards  closure  in  the  partial  traces  of  the  communication  guards:  for  all 
suitable  states  5,  the  configuration  {hli,s)  is  blocked  modulo  5"  for  all  sets  {{fi?}},  and 
similarly  for  {hle,s). 


Sequential  composition 

Two  weakly  fair  traces  cpi  and  92  are  composable  whenever  cpi  is  an  infinite  or  partial  trace, 
or  when  cpi  is  a  finite  trace  and  the  initial  state  of  92  is  the  final  state  of  cpi.  Moreover,  their 
concatenation  9192  is  defined  almost  identically  to  the  concatenation  of  channel-fair  traces, 
except  that  we  no  longer  need  to  keep  track  of  the  unused  channels.  For  composable  traces 
9i  =  (a,  (Ti,£i,f))  and  92  =  (P,  (T2,  £2,^2)),  we  define 

9,9,  =  /'P‘  i«.e(p.i}. 

\(ap,(T2,£i-£2,i?2)),  ifi?i=f. 

We  then  define  sequential  composition  on  weakly  fair  trace  sets  Ti  and  T2  in  the  familiar  way: 

Ti-,T2  =  {9192  I  9i  e  Ti  &  92  e  r2  &  compo5aWe(9i,92)}. 

Finally,  we  define 


%l_ci\C2^  =  ‘2;;[[ci]];‘2;;[[c2]], 

%[[g^c\]  =  %M-%ic\l 


and 


%l\^b\\\en  Cl  else  C2]]  = 
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Iteration 

Let  ((p,)^Q  be  an  infinite  sequence  of  weakly  fair  traces  such  that,  for  each  i  >  0,  %  = 

oo 

(a,,  {3^i,Ei,Ri)).  The  sequence  ((Pi)^o  composable  if  the  set  lyj  T,  is  finite  and  (for  each 

i—O 

i)  the  traces  cpo9i  •  •  -tPi-i  and  cp,-  are  composable.  When  each  cp,  is  finite,  the  infinite  concate¬ 
nation  of  the  infinite  sequence  ((Pi)^o  finite  traces  is 

oo 

(po(pi(p2 •  •  •  =  (ao«i . . .a„ . . . ,  ( lyj  T/, £o •  £i  •  £2  •  •  •  • ,  i))- 

i—O 

When  at  least  one  of  the  traces  cp;  is  a  partial  or  infinite  trace,  then  the  first  such  tp,-  provides 
the  relevant  contextual  information  for  the  resulting  trace;  thus,  if  tp^t  is  the  first  nonfinite  trace, 
then  we  define  the  infinite  concatenation  of  the  sequence  ((P;)^o  to  be 

(po(pi(p2-- •  =  (cxocxi .  ..afe,  So- £1  •  •••  ■Ek,Rk))- 

Once  again,  the  definitions  for  finite  and  infinite  iteration  on  trace  sets  follow  directly  from 
the  definitions  of  concatenation  and  sequential  composition.  We  define  finite  iteration  on  the 
trace  set  T  by 

CXD 

r*  =  IJ  T\ 

i^O 

where  (0,  (0),  f ))  |  5  €  5}  and  =  T”;  T.  We  define  infinite  iteration  on  trace  set 

T  as  follows: 

r“  =  {cpotpi . .  .tP/t-  •  •  I  (V/  >  O.cpi  e  r)  &  composable . 

The  semantics  of  loops  again  relies  on  the  definitions  of  iteration: 

%,l\NW\\e  b  do  c'^  = 


Guarded  choice 

The  definition  of  guarded  choice  on  weakly  fair  trace  sets  is  a  simple  generalization  of  that  for 
channel-fair  traces:  there  is  no  need  to  keep  track  of  the  unused  channels.  For  weakly  fair  trace 
sets  Ti  and  T2,  we  define: 

rinr2  =  {(a,(Ti,(FoUF)£,7?))  I  (8,a,(Ti,(Fo)£,^))eri  &(8„(T2,(F),p))er2} 

U  {(a,  (T2,  {EoUE)E,R))  \  (8,a,  (T2,  {Eo)E,R))  eT2&  (8„  (Ti,  (F),p))  e  T,}. 

We  then  define  ‘2;[[gci  □gC2l]  =  %,lgci^U%\gC2\ 
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Channel  restriction 

The  weakly  fair  trace  set  T\h  can  be  obtained  from  T  by  first  removing  those  traces  in  which  h 
is  visible  and  then  deleting  all  mentions  of  h  from  enabling  sequences  and  fairness  sets.  For  a 
set  T  of  sets  of  directions,  we  define  3^\h  in  the  obvious  way:  3^\h  =  {F\h  \  F  e  T}.  We  then 
define 

T\h  =  {(a,  (T',  E\h,R))  I  (a,  (T,  E,R))  eT  &  (T\fi)  i  &h^  chans(a)}, 
so  that  %v^c\h]]  = 


Parallel  composition 

To  define  parallel  composition  for  sets  of  weakly  fair  traces,  we  follow  the  same  general  ap¬ 
proach  taken  in  Chapter  3  for  strongly  fair  traces.  In  particular,  we  define  a  relation /a/rmerge 
as  the  greatest  fixed  point  of  a  functional 

F{Y)  =  both -  Y  U  one, 

and  we  introduce  a  predicate  mergeable  that  indicates  which  mergings  of  computations  are 
meaningful.  Because  the  weak  fairness  of  a  computation  can  depend  on  the  particular  order  in 
which  independent  actions  occur,  the  mergeable  predicate  depends  not  only  on  the  traces  to  be 
merged  but  also  on  the  resulting  trace.  We  therefore  begin  by  defining /a/rmerge,  deferring  for 
now  the  question  of  which  fair  merges  correspond  to  weakly  fair  computations. 

The  fairmerge  relation  for  weakly  fair  traces  is  a  simple  generalization  of  the  fairmerge 
relation  for  channel- fair  traces:  we  need  only  omit  the  sets  of  unused  channels  and  use  fairness 
sets  T  of  sets  rather  than  fairness  sets  F  of  directions.  For  completeness,  the  definitions  are 
included  here,  but  with  very  few  accompanying  explanations. 

For  finite  traces  cpi  =  (ai,  (Ti,  £i,f ))  and(p2  =  (0x25  (3^2,  E2,f  ))  such  that  ai]Ja2  is  defined, 
we  define 

9lij92  =  {(«liJcX2,(5',£l]J£2,f))  I  (J"!  UT'2)  J,}. 

Each  trace  cp  G  (pi]J(p2  represents  a  transition  sequence  of  a  parallel  command  in  which  one 
component  performs  actions  corresponding  to  tpi,  followed  by  the  other  component  performing 
actions  corresponding  to  92.  Likewise,  for  matching  finite  traces  cpi  =  (tti,  (Ti,  £i,f ))  and 
(P2  =  (CX2,  (T2,  £2,  f )),  (pi  ||(P2  is  the  set  of  traces  corresponding  to  their  synchronization  at  each 
step: 

(Pi  1192  =  {(ai ||a2,  (T, £i||£2, f ))  |  (Ti  U T2) 
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These  two  operations  on  traces  form  the  basis  for  the  set  both  C  x  x  whose  triples 
reflect  finite  transition  sequences  that  occur  while  both  components  remain  active: 

both  =  {((pi,(p2,(p),((p2,(pi,9)  l9i  =  («,(9"i,£i,f))&92  =  (P,(9"2,£2,f))& 

disjoint(a,  (3)  &  cp  e  (pi]J(p2} 

U  {((pi,(p2,(p)  I  9i  =  («,(9"i,£i,f))  &  tp2  =  (13,(T2,£2,f))  & 

disjoint(a,  P)  &  match(a,  P)  &  cp  G  cpi  ||(p2}- 

Once  a  component  terminates  successfully  or  becomes  permanently  blocked  (modulo  some 
set  T),  the  other  component  may  proceed  uninterrupted.  Such  situations  are  reflect  by  traces 
in  the  set  cpi]Jcp2,  where  cpi  =  (a,  (Ti,  represents  the  active  component  and  (p2  is  an 

empty  finite  trace  (e^,  (T'2,  (0),f ))  or  an  empty  partial  trace  (e^.,  (T'2,  (£'),p)).  When  92  = 
(e^,  (T2,  (0),f)),  we  define 

(pi^(p2  =  {(a^e„(T,£^0,i?i))  (T1UT2);}. 

When  (p2  =  (e^,  (T'2,  {E),^)),  we  define 

II  ^  f{(a^8„(3^,£jF,p))m^(3^iUT2);},  if^iG{f,p}, 

(T, £  JF,  i))  I  (Ti  U T2) if  ^1  =  i- 

These  definitions  provide  the  basis  for  the  set  one  C  x  x  whose  triples  reflect 
transition  sequences  in  which  only  one  component  remains  active: 

one  =  {((pi,(p2,(p)  l9i  =  («,(9",£,^))&92  =  (8„(9",F',i?))& 

disjoint(a, 5)  &  cp  G  (pi]J(p2}. 

We  can  now  also  fairmerge  =  both^‘  U  both*'  •  one,  again  with  the  intuition  that  the 
triple  (cpi,  92,  tp)  is  in  fairmerge  if  and  only  if  the  trace  cp  is  a  fair  merging  and  interleaving  of 
the  traces  tpi  and  92-  In  particular,  just  as  for  strong  channel  fairness,  the  triple  (9, 9',  t|/)  is  in 
both^‘  if  and  only  if  the  traces  9,  9',  and  \|/  can  be  written  as 

9  =  9o  •  9i  •  92  •  93  •  •  •  • ,  9'  =  9o  •  9'i  •  92  •  93  •  •  •  •  >  V  =  tl/o  •  •  tl/2  •  ^3  •  •  •  • , 

such  that  each  9,,  9'  and  t|/,  is  finite,  and  each  \|/,  is  in  the  set  (9i]j9-  U  9 -119!  U  9jj|9i). 
Likewise,  the  triple  (9,9',\|/)  is  in  both*'  •  one  if  and  only  if  the  traces  9,  9',  and  \|/  can  be 
written  as 

9  =  9o  •  9i  •  92  •  93  •  •  •  •  tpn,  9'  =  9o  •  9i  •  93  •  •  •  •  ^  =  tl/o  •  ti/i  •  ^2  •  ¥3  •  •  •  •  •  ¥«, 
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such  that  each  cp,  ,  tp-  and  t|/,-  (for  i  <n)  is  a  nonempty  finite  traee,  eaeh  \|/,  (for  i  <n)  is  a  member 
of  the  set  ((pjjJ  tp '  U  U  (p,||(p,),  at  least  one  of  (p„  and  tp^  has  form  (£^.,0),  and  t|/„  is  a 

member  of  the  set  ((p„JJ  tp^  U 

However,  defining  the  triples  ((pi,(p2,cp)  of fairmerge  is  not  enough  for  defining  parallel 
composition  on  weakly  fair  traee  sets.  Despite  being  a  fair  merging  of  the  two  traces,  tp  may 
not  represent  a  weakly  fair  eomputation:  it  is  important  to  verify  that  the  subproeesses  that  are 
blocked  fairly  along  tpi  and  (p2  are  not  enabled  continuously  along  tp.  Thus,  we  define  a  ternary 
predieate  mergeable  C  x  x  that  not  only  takes  into  aceount  the  properties  of  cpi  and 
(P2,  but  also  ensures  that  the  resulting  parallel  traee  tp  satisfies  all  necessary  proeess  eonstraints. 

A  set  F  of  directions  is  enabled  for  synchronization  with  the  enabling  set  E — written 
enabled (FjF) — if  there  exists  a  direction  d  &  F  such  that  chan(d)  e  E.  Intuitively,  the  set 
F  represents  the  set  of  directions  enabled  by  some  subprocess  2  of  a  eommand  ci.  If  F  is  the 
enabling  set  of  the  parallel  eommand  ci  ||c2,  then  the  proeess  Q  is  enabled  for  synehronization 
with  another  proeess  if  and  only  if  there  is  some  direction  d  E  Q  such  that  the  ehannel  chan(d) 
appears  in  E. 

A  set  F  of  directions  is  blocked  along  £ — written  blocked  (F,  £) — if  £  is  finite  or  if  there 
are  infinitely  many  sets  E  along  £  such  that  F  is  not  enabled  for  synchronization  with  E.  That 
is,  letting  Ei  represent  the  element  of  the  sequence  £,  the  predicate  blocked  (F,  £)  is  defined 
as  follows: 

blocked(F,£)  <(=>  V/ >  > /.^enabled(F,£',). 

We  extend  this  notion  of  blocking  to  sets  T  of  sets  of  direetions  as  well:  the  set  T  is  blocked 
along  £  if  every  member  of  T  is  blocked  along  £.  That  is, 

blocked(T',  £)  <(=>  VF  e  T.blocked(F,  £). 

This  notion  of  blocking  forms  the  basis  of  the  ternary  predicate  mergeable:  for  traces  cpi  = 
(cxi,  (Ti,£i,i?i)),  (p2  =  (cx2,  (J'z,  £2,^2)),  and  tp  =  (a,  (?■,£, i?)), 

mergcaWe((pi,(p2,cp)  {R  =  f)  or  {R  =  p)  or  ({e}  ^  Ti  UT'2  &  blocked(T'i  UT'2,a)). 

Thus  the  predicate  mergeable {(pi,  (^2,  ^>)  is  true  whenever  tp  is  a  finite  or  partial  trace,  or  if  no 
member  of  Ti  U  T2  is  enabled  for  synchronization  continuously  along  the  infinite  trace  tp. 

Finally,  we  define  fair  parallel  composition  on  trace  sets  as  follows: 

ri||r2  =  {(p|(pi  =  (a,(Ti,£i,i?i))eri&(p2  =  (|3,(T2,£2,^2))er2& 
((pi,(p2,tp)  E  fairmerge  &  mergca We (cpi, 92, cp)}. 

It  follows  that  %lci\\c2'^  =  ‘2;[[ci]]||‘2;[[c2]]. 

We  can  now  give  the  denotational  eharaeterization  of  the  weakly  fair  traee  semantics 
in  its  entirety.  Once  again,  this  eharaeterization  looks  essentially  the  same  as  the  denotational 
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characterizations  of  the  strongly  fair  and  the  strongly  ehannel-fair  semanties  of  previous  ehap- 
ters.  The  only  differenees  are  the  sets  of  proeess  eonstraints  and  the  bookkeeping  operations 
that  underlie  the  new  interpretations  of  the  semantie  operators. 

Definition  6.3.1  The  traee  semantic  function  :  Com  is  defined  by: 

T;iskip]]  =  {((^,8,^),  (T,  (0,0),f ))  I  5  e  5  &  T e  Tfin(yfin(A))} 

u  {(8„(T,(0),p))|5e5&n^{{8}}} 

=  {((5,e,  [5|/  =  n]),(T,  (0,0),f))  | 

i  e  dom(j')  &  T e  CPfin(J^fin(A))  &  {s^n)  e  'EM} 
U  {(8„(T,(0),p))  I  fv[[/:=ej  C  dom(5)  &  {{e}}} 

%l\^  b  then  c\  else  C2]]  = 

T; [[w h i I e  d o  c]]  =  ( “i; lb]] ;  % [[c]] ) “ U  ( “i;, lb]] ;  %, [[c]] y;%,l-^b]] 

%,lhli]]  =  {((5,fi?n,  [5|/  =  n]),(T,  ({fi?},0),f))  | 

i  e  dom(j')  &  n  e  Z  &  T  e  J’fin(^’fin(A))} 

U  {(8„  (T,  ({fi?}),p))  I  i  e  dom(5)  &  {{hi}}} 

%lhle}  =  {{{s,hln,s),  (T,  ({fi!},0),f))  |  {s,n)  e  'EM  &  Te  Tfin(yfin(A))} 
U  {(8„  (T,  ({fi!}),p))  I  fvje]]  C  dom(5)  &  {{hi}}} 

%lg^c]]  =  %lgl%M 
%lgci  □gC2]]  =  %lgCl]]  □  %lgcy\ 
t;Ici||c2]]  =  t;[[ci]]||t;[[c2]] 

%lc\hi  =  %M\h. 


o 


6.4  Final  Comments  on  %; 

The  semanties  %v  is  sound  with  respect  to  all  the  (weakly  fair  equivalents  of  the)  behaviors 
introduced  in  Chapter  4.  However,  it  is  not  fully  abstraet  with  respeet  to  any  of  them,  for  many 
of  the  same  reasons  that  the  ehannel-fair  semanties  fails  to  be  fully  abstraet. 

Despite  the  problems  with  full  abstraetion,  the  semanties  %v  still  sheds  light  on  the  problem 
of  ineorporating  fairness  assumptions  into  denotational  semanties.  It  demonstrates  the  further 
applieability  and  robustness  of  the  traee  framework.  Simply  by  replaeing  simple  sets  of  aetions 
by  sets  of  sets  of  aetions,  we  ean  parameterize  and  model  weak  proeess  eonstraints  instead  of 
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strong  process  constraints.  Perhaps  surprisingly,  the  weakly  fair  semantics  retains  a  signifi¬ 
cant  portion  of  the  structure  necessary  for  the  channel-fair  semantics,  despite  the  underlying 
differences  in  the  notions  of  fairness.  In  particular,  both  the  channel-fair  and  the  weakly  fair 
semantics  require  sequences  of  enabling  sets  to  account  for  the  effect  that  the  ordering  of  inde¬ 
pendent  actions  can  have  on  the  perceived  fairness  of  a  computation.  Such  sequences  seem  a 
natural  consequence  of  fairness  notions  that  are  not  equivalence  robust. 


Chapter  7 

Hybrid  Communicating  Processes 


Both  Brookes’  fair  transition  traces  for  shared-variable  programs  [Bro96b]  and  the  fair  traces 
for  communicating  processes  in  this  dissertation  play  the  same  role  in  their  respective  seman¬ 
tics:  they  serve  as  abstract  representations  of  fair  computations.  In  each  semantics,  the  mean¬ 
ing  of  a  command  is  the  set  of  traces  corresponding  to  its  fair  computations  (or,  more  accu¬ 
rately,  corresponding  to  its  fair  transition  sequences),  and  the  structure  of  the  traces  reflects  the 
communication  features  of  the  underlying  paradigm.  Transition  traces  represent  transition  se¬ 
quences  in  which  the  external  environment  may  alter  the  state  between  successive  transitions. 
In  contrast,  the  fair  traces  we  developed  for  communicating  processes  represent  transition  se¬ 
quences  in  which  the  environment  never  makes  a  state  change  and  may  interact  with  processes 
only  by  message  passing.  Because  a  process’s  external  environment  cannot  alter  its  private 
state,  state  changes  between  steps  of  a  fair  trace  are  disallowed.  The  fair  traces  also  require  an 
additional  contextual  component  that  chronicles  the  relevant  information  for  modeling  fairness. 

These  two  different  kinds  of  trace  structure  are  intuitively  orthogonal,  representing  distinct 
but  compatible  aspects  of  computation.  In  particular,  the  two  structures  can  be  combined  in  a 
very  intuitive  way  to  yield  a  semantics  for  a  hybrid  language  of  processes  that  communicate 
through  both  message  passing  and  shared  memory.  In  this  chapter,  we  introduce  such  a  hybrid 
language,  and  we  construct  for  it  a  semantics  that  incorporates  assumptions  of  strong  fairness. 
Horita,  de  Bakker,  and  Rutten  define  a  fully  abstract  semantics  for  a  similar  hybrid  language 
[HdBR94];  the  semantics  of  this  chapter  generalizes  their  semantics  by  incorporating  fairness 
assumptions. 

The  addition  of  shared- variable  parallelism  requires  a  generalization  of  parameterized  strong 
fairness  that  accounts  for  state  interruptions.  By  combining  the  shared-variable  transition  traces 
with  the  communicating  processes’  strongly  fair  traces  in  a  natural  way,  we  construct  a  hybrid 
trace  semantics  suitable  for  reasoning  about  the  behavior  of  these  hybrid  processes.  This  se¬ 
mantics  is  also  fully  abstract,  and  the  full-abstraction  proof  is  a  natural  amalgam  of  the  full- 
abstraction  proofs  of  the  original  two  semantics.  The  full-abstraction  result  indicates  that  the 
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hybrid  traces  accurately  capture  the  type  of  information  necessary  for  reasoning  about  systems 
in  which  communication  occurs  both  through  message  passing  and  through  changes  to  shared 
memory. 

The  ease  with  which  these  two  different  semantics  can  be  combined  demonstrates  the  mod¬ 
ularity  of  the  semantic  features  and  provides  further  evidence  that  the  transition  traces  and  the 
strongly  fair  traces  accurately  capture  the  important  essence  of  fair  computation  for  their  un¬ 
derlying  paradigms.  The  resulting  hybrid  semantics  requires  the  same  closure  conditions  for 
full  abstraction  as  the  original  two  semantics  did,  and  the  full- abstraction  proof  relies  on  the 
same  observations  and  subsidiary  lemmas  that  underly  the  full-abstraction  proofs  of  the  orig¬ 
inal  semantics.  Indeed,  part  of  the  value  of  the  hybrid  semantics’  full-abstraction  result  is  the 
ease  with  which  we  obtain  it. 


7.1  A  Language  of  Hybrid  Processes 

The  language  of  communicating  processes  that  we  have  considered  so  far  allows  processes 
to  communicate  only  through  synchronous  message  passing.  In  this  section,  we  add  shared- 
variable  parallelism  and  conditional  critical  regions  to  yield  a  hybrid  language  of  processes  that 
can  communicate  with  one  another  both  by  message  passing  and  by  changes  to  shared  memory. 
The  resulting  language  captures  the  following  abstract  view  of  systems. 

Intuitively,  a  system  is  a  (possibly  dynamic)  collection  of  realms,  with  potentially  multi¬ 
ple  threads  of  control  in  each  realm.  Each  realm  has  its  own  local  state,  and  communication 
between  threads  in  the  same  realm  occurs  via  this  shared  local  memory.  In  contrast,  communi¬ 
cation  between  threads  in  different  realms  occurs  via  message  passing  along  named  channels. 
For  example,  one  can  imagine  several  clusters  of  workstations  connected  to  one  another  by 
high-speed  networks,  with  processes  on  same-cluster  workstations  communicating  across  dis¬ 
tributed  shared  memory  and  distant-cluster  workstations  communicating  by  messages  across 
the  network;  each  cluster  is  a  realm,  and  the  processes  on  the  individual  workstations  are  the 
threads  of  that  realm.  This  view  of  systems  encompasses  (and  generalizes)  both  the  shared- 
memory  and  the  communicating-process  models.  Shared-variable  programs  correspond  to  a 
single  realm  containing  multiple  threads;  communicating  processes  correspond  to  multiple- 
realm  systems  in  which  each  realm  has  precisely  one  thread  of  control. 

This  type  of  hybrid  language  supports  the  modeling  of  systems  such  as  distributed  databases, 
automated  banking  systems  (i.e.,  ATMs),  airline-reservation  systems,  and  so  on.  These  appli¬ 
cations  all  share  three  common  features:  (1)  various  nodes  can  be  physically  distant  from  one 
another,  making  message  passing  the  only  viable  communication  mechanism;  (2)  “local”  pro¬ 
cesses  may  require  fine-grained  sharing,  making  shared  memory  the  most  efficient  mechanism; 
and  (3)  clients  (either  software  or  human)  cannot  or  will  not  tolerate  being  ignored  forever, 
making  fairness  an  essential  feature  of  the  system. 
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The  language’s  syntax  and  operational  semantics  are  very  similar  to  those  described  in 
Section  2. 1  for  the  simple  communicating  processes. 


7.1.1  Syntax 

The  abstract  syntax  of  the  language  relies  on  the  following  seven  syntactic  domains: 

•  Ide,  the  set  of  identifiers,  ranged  over  by  i; 

•  BExp,  the  set  of  boolean  expressions,  ranged  over  by  b', 

•  Exp,  the  set  of  (integer)  arithmetic  expressions,  ranged  over  by  e; 

•  Chan,  the  set  of  channel  names,  ranged  over  by  h; 

•  Gua,  the  set  of  communication  guards,  ranged  over  by  g; 

•  GCom,  the  set  of  guarded  commands,  ranged  over  by  gc; 

•  Com,  the  set  of  commands,  ranged  over  by  c. 

We  again  take  for  granted  the  syntax  of  identifiers,  channel  names,  and  boolean  and  arith¬ 
metic  expressions.  The  syntax  of  guards,  guarded  commands,  and  commands  is  given  by  the 
following  grammar: 

g  ::=  hli  \  h\e 
gc  ::=  g^c|gcingc2 

c  ::=  skip  |  i:=e  \  ci;c2  |  if  b  then  ci  else  C2  |  while  b  do  c  \  gc 
I  await  b  then  c  |  ci  |||  C2  |  ci  ||c2  |  c\h 

We  impose  two  additional  syntactic  constraints.  First,  in  commands  of  the  form 

await  b  then  c, 

we  require  that  the  command  c  contains  only  assignments  and  skips.  This  requirement  ensures 
that  the  command  c  terminates,  and  it  represents  a  reasonable  expectation  of  the  scheduler: 
it  is  straightforward  for  a  scheduler  to  disable  all  other  processes  to  allow  a  single  process  to 
perform  a  finite  series  of  assignments  uninterrupted,  but  it  is  unreasonable  for  the  scheduler 
to  disable  other  processes  permanently  to  allow  a  process  to  enter  what  may  turn  out  to  be  an 
infinite  loop.  Moreover,  this  syntactic  restriction  does  not  restrict  the  expressive  power  of  the 
language.  Second,  for  commands  of  form  ci||c2,  we  require  that  ci  and  C2  have  disjoint  free 
identifiers.  This  restriction  ensures  that  the  processes  associated  with  ci  and  C2  maintain  their 
own  private  state  spaces:  the  only  way  that  either  component  can  affect  the  other’s  execution 
is  through  handshake  communications. 
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{b^s)  — )•*  tt  {c^s)  (c^y)term 
(await  b  then  c,  s)  — ^  {c' ,s') 


_ {b,s)  — ff _ 

(await  b  then  c,  s)  (await  b  then  c,  s) 


{cus)^{c\,s') 


(C2,.)^(4,y) 


<C|  |||C2,i)  (c'l  |||C2,s')  <C|  |||C2,i)  (ci  |||C2>'''> 


- - if  disjoint(.„«) 

(ci||c2,5i  U52)  - ^  (Ci||c2,5iU52) 


- ■^2) - disjoint(5i,52) 

(ci||c2,5l  U52)  - ^  (ci||c2,5l  U52) 

(c,,s,)  ^  ^  (C2,S2)  (ri.4>  if  &disjoint(.,,.2) 

(ci||c2,5l  U52)  - ^  (c'l  114,  U  4) 


(c,4  ^  (c',s'}  ifchan(X)  4/z 
(c\h,s}  — ^  {c'\h,s') 


Figure  7.3:  Inference  rules  for  the  parallel  constructs. 


component  affect  only  its  local  portion  of  the  state,  and  the  components  may  also  handshake 
along  a  given  channel. 

The  set  of  enabled  directions  for  a  configuration  (c,  s)  is  again  given  by  the  set 
inits(c,5)  =  {dir(?i)  |  3c', s'.  {c,s)  {c',s')}. 

Note  that,  given  the  inference  rules  of  Figure  7.3,  the  configuration  (await  b  then  c,s)  always 
has  an  8-transition  enabled,  regardless  of  the  value  of  the  expression  of  b  in  state  s.  Therefore 
the  only  configurations  that  can  be  blocked  are  those  that  are  trying  to  communicate  along 
restricted  channels. 

A  quasi-computation  of  a  command  c  from  state  5  is  a  maximal  sequence  of  transitions 
starting  in  {c,s)  in  which  the  state  may  be  changed  between  successive  transitions.  For  exam¬ 
ple,  the  following  sequence  of  transitions  is  a  quasi-computation  of  the  command  (x:=l;a!x) 
from  state  [x  =  0] : 

(x:=l;a!x,  [x  =  0])  (a!x,  [x  =  1])  &  (a!x,  [x  =  3])  ^  (•,  [x  =  3]). 
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We  use  the  notation 


{Ci,Si)  {Ci+\,s'i) 


{Ci,Si)  (c,+  l,5') 


to  abbreviate  (respectively)  the  finite  quasi-computation 


(c,5o)  ^  (ci,5o)  &  (ci,5i)  ^  {C2,s\)  &  •••  &  {ck,Sk)  ^  (cfc+1 , 4)term, 
and  the  infinite  quasi-computation 


(c,5o)  ^  (ci,4)  &  (ci,5l)  ^  (c2,4)  &  •••  &  {Ck,Sk)  ^  (Cfc-rl,4)  & 


A  computation  of  c  is  a  quasi-computation  in  which  the  state  is  never  changed  between  suc¬ 
cessive  transitions;  that  is,  a  computation  is  an  interference-free  quasi-computation. 

Quasi-computations  capture  the  intuition  that  a  process’s  execution  can  be  interrupted — 
and  the  state  altered — by  an  external  force  (namely,  the  process’s  environment).  In  general, 
the  computations  of  ci  |||  C2  cannot  be  defined  solely  in  terms  of  the  computations  of  c\  and  C2, 
precisely  because  of  this  interference.  For  example,  consider  the  following  two  commands: 


Cl  =  x:=0;if  X  =  1  then  y:=0  else  y:=l, 
C2  =  x:=l. 


The  parallel  command  ci  |||  C2  has  a  computation  that  sets  the  value  of  y  to  0,  but  there  is  no  way 
to  generate  this  computation  by  considering  only  computations  of  ci  and  C2:  the  command  C2 
does  not  access  y,  and  every  computation  of  ci  sets  y  to  1. 

However,  the  quasi-computations  of  ci  |||  C2  can  be  defined  in  terms  of  the  quasi-computations 
of  Cl  and  C2.  For  example,  combining  the  quasi-computations 

Pi  =  (ci,  [x  =  2y  =  2])  (if  X  =  1  then  y:=0  else  y:=l,  [x  =  0,y  =  2]) 

&  (if  X  =  1  then  y:=0  else  y:=l,  [x  =  l,y  =  2])  — ^  (y:=0,  [x  =  l,y  =  2]) 

&  (y:=0,  [x=  ly  =  2])  ^  (#,  [x=  ly  =  0]), 

and 

P2  =  (C2,  [x  =  2y  =  2]) (•,[x=  ly  =  2]) 

yields  a  (quasi-)computation  of  ci  ||c2.  It  is  this  insight  that  drives  the  use  of  transition  traces 
to  model  shared- variable  programs. 
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7.2  Fairness  for  Hybrid  Processes 

All  the  notions  of  fairness  for  communicating  processes  introduced  in  Section  2.2  can  be 
adapted  for  hybrid  communicating  processes.  In  this  chapter,  we  shall  consider  the  follow¬ 
ing  version  of  strong  fairness: 

Every  process  that  is  enabled  infinitely  often  makes  progress  infinitely  often. 

To  be  precise,  this  notion  of  fairness  constitutes  strong  fairness  only  because  the  operational 
semantics  models  blocking  of  await-statements  by  busy-waiting  (i.e.,  by  idle  steps).  As  a  result, 
the  only  “true”  blocking  of  a  process  arises  from  unsatisfiable  communication  attempts.  If, 
instead,  the  operational  semantics  represented  blocking  of  await-statements  by  true  blocking 
(that  is,  if  we  omitted  the  idle-step  transition  rule  for  await-statements),  then  the  intended 
notion  of  fairness  might  be  described  more  accurately  as  follows: 

Every  continuously  enabled  process,  and  every  process  infinitely  able  to  commu¬ 
nicate,  eventually  makes  progress. 

That  is,  a  process  can  block  fairly  on  await-statements  whose  conditionals  are  not  enabled  con¬ 
tinuously  and  on  communications  that  are  not  enabled  infinitely  often.  Imposing  different  fair¬ 
ness  requirements  on  different  types  of  transitions  is  not  a  new  idea:  Manna  and  Pnueli  discuss 
the  abstract  construction  of  temporal  proof  systems  predicated  on  identifying  both  strongly  fair 
and  weakly  fair  transition  sets  [MP83]. 

We  introduce  a  parameterized  form  of  strong  fairness  that  is  based  on  the  parameteriza¬ 
tion  of  strong  fairness  given  in  Definition  3.1.2.  This  parameterization  includes  clauses  for  the 
shared-variable  constructs  await  b  then  c  and  c\  |||  C2-  Moreover,  because  in  general  the  com¬ 
putations  of  Cl  III  C2  cannot  be  defined  solely  in  terms  of  the  computations  of  ci  and  C2,  we  base 
this  definition  on  quasi-computations. 

Every  infinite  quasi-computation  of  await  b  then  c  involves  the  repeated  evaluation  of  the 
boolean  expression  b  in  states  that  do  not  satisfy  b.  In  every  such  quasi-computation,  the  single 
process  repeatedly  makes  progress,  and  hence  it  is  treated  fairly.  (Equivalently,  an  infinite 
quasi-computation  indicates  that  the  await-statement  is  infinitely  often  disabled  and  hence  can 
block  fairly  under  weak  fairness.) 

The  requirements  for  fairness  of  the  state-based  parallel  command  ci  |||  C2  are  similar  to  (but 
simpler  than)  those  for  the  message-based  parallel  command  ci  ||c2.  Intuitively,  every  quasi¬ 
computation  p  of  Cl  III  C2  arises  from  interleaving  a  quasi-computation  pi  of  ci  with  a  quasi¬ 
computation  p2  of  C2,  and  p  inherits  its  fairness  constraints  from  both  pi  and  P2.  In  particular, 
if  p  1  is  fair  mod  Fi  and  P2  is  fair  mod  F2,  then  p  is  fair  mod  Ei  U E2,  provided  that  the  two  quasi¬ 
computations  respect  the  fairness  constraints  of  one  another.  As  with  message-based  parallel 
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commands,  neither  component  can  use  directions  that  appear  in  the  other’s  fairness  set,  for  the 
following  reason.  Intuitively,  the  fairness  set  Fi  represents  the  assumption  that  the  command  c\ 
(and  hence  ci  |||  C2)  will  appear  in  a  context  that  restricts  communication  on  the  channels  of  Fi 
without  providing  synchronization  opportunities  for  them.  If  C2  used  a  direction  in  Fi  infinitely 
often,  then  the  eventual  context  would  have  to  provide  C2  infinitely  many  synchronization  op¬ 
portunities  for  that  direction,  thereby  offering  ci  those  same  opportunities  as  well.  However, 
it  is  legitimate  for  one  component  to  enable  (and  perhaps  even  use)  infinitely  often  directions 
whose  matching  counterparts  appear  in  the  other’s  fairness  set:  for  example,  pi  may  enable  the 
direction  a!  infinitely  often  even  if  a?  is  in  F2.  Because  there  is  no  possibility  of  handshaking 
between  ci  and  C2,  the  directions  enabled  by  one  component  do  not  affect  the  other’s  fairness 
constraints. 

Definition  7.2.1  A  quasi-computation  p  of  command  c  is  fair  modulo  F  provided  p  satisfies 
one  of  the  following  conditions: 

•  p  is  a  finite,  successfully  terminating  quasi-computation; 

•  p  is  a  partial  quasi-computation  whose  final  configuration  is  blocked  modulo  F; 

•  p  is  an  infinite  quasi-computation,  c  has  form  (ci;c2)  or  (if  b  then  ci  else  C2),  and  the 
underlying  infinite  quasi-computation  of  ci  or  C2  is  fair  mod  F; 

•  p  is  an  infinite  quasi-computation,  c  has  form  (while  b  do  c)  or  (g  ^  c),  and  all  underlying 
quasi-computations  of  c  are  fair  mod  F; 

•  p  is  an  infinite  quasi-computation,  c  has  form  (gcingC2),  and  the  underlying  quasi¬ 
computation  of  the  selected  gci  is  fair  mod  F; 

•  p  is  an  infinite  quasi-computation,  and  c  has  form  await  b  then  c; 

•  p  is  an  infinite  quasi-computation,  c  has  form  ci  |||  C2,  and  there  exists  sets  Fi  and  F2  and 
quasi-computations  pi  of  ci  and  P2  of  C2  such  that  pi  is  fair  mod  Fi,  p2  is  fair  mod  F2, 
F  ^F\  UF2,  and  neither  p/  uses  a  direction  in  Fj  (i  ^  j)  infinitely  often; 

•  p  is  an  infinite  quasi-computation,  c  has  form  c'\h,  and  the  underlying  quasi-computation 
of  c'  is  fair  modulo  F  U  {fi! ,  fi?}; 

•  p  is  an  infinite  quasi-computation,  c  has  form  ci  ||c2,  and  there  exist  sets  Fi  and  F2  and 

quasi-computations  pi  of  ci  and  P2  of  C2  such  that  pi  is  fair  mod  F\,  p2  is  fair  mod 
F2,  fi’  ^  fi’i  UF2,  p  can  be  obtained  by  merging  and  synchronizing  pi  and  P2,  neither  p, 
enables  infinitely  often  any  direction  matching  a  member  of  Fj  (i  ^  j),  and  neither  p,- 
uses  a  direction  in  Fj  infinitely  often.  o 


7.2  Fairness  for  Hybrid  Processes 


133 


The  following  two  examples,  taken  together,  illustrate  the  differenee  in  how  fairness  con¬ 
straints  are  combined  for  the  two  different  types  of  parallel  composition.  In  particular,  there  are 
unfair  computations  of  the  command  c\\\c2  that,  step  for  step,  behave  like  fair  computations  of 

Cl  \\\C2. 

Example  7.2.2  Consider  the  command  {{Ri  ||| i?2)  ||^3)\a»  where  Ri,  R2  and  R3  are  defined  as 
follows: 

i?i  =  a!0,  =  while  true  do  a?x,  =  while  true  do  all. 

1.  The  command  Ri  has  the  partial  (quasi-)computation 

pi  =  (a!0,[x=  1]), 

which  is  fair  modulo  {a!}. 

2.  Let  P2  be  the  following  infinite  (quasi-)computation  of  R2,  which  repeatedly  receives  the 
value  1  along  channel  a: 

P2  =  {Ri,  [x  =  1])  ^  (a?x;7?2,  [x  =  1])  ^  {R2,  [x  =  1])  ^  • 

This  computation  is  fair  mod  0. 

3.  Let  P3  be  the  following  infinite  (quasi-)computation  in  which  R^  repeatedly  transmits  the 
value  1  along  channel  a: 

P3  =  (i?3,  [y  =  1])  ^  (a!l;i?3,  [y  =  1])  ^  (^3,  [y  =  i])  ^  . 

This  computation  is  also  fair  mod  0. 

4.  Let  p  be  the  following  infinite  (quasi-)computation  of  Ri  |||  i?2: 

p  =  {Ri  p2,  [x  =  1])  ^  {Ri  III  (a?x;7?2),  [x  =  1])  ^  {Ri  |p2,  [x  =  1])  ^  • 

The  computation  p  can  be  obtained  by  a  (trivial)  interleaving  of  pi  and  P2.  Because 
neither  pi  nor  p2  uses  a  direction  in  the  other  computation’s  fairness  set,  p  inherits  the 
fairness  constraints  of  its  underlying  quasi-computations  and  is  fair  mod  {a!}. 

In  particular,  p  is  fair  mod  {a!}  despite  the  fact  that  R2  enables  (and  uses)  the  direction 
a?  infinitely  often:  Ri  and  R2  are  processes  that  can  communicate  with  one  another  only 
through  state  changes. 
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5 .  The  following  computation  of  ( (i?  1 1 1 1 )  1 1  ) ,  in  which  R2  and  R^,  repeatedly  handshake 

on  channel  a,  can  be  obtained  by  merging  and  synchronizing  p  and  P3: 

((i?i|||7?2)  ||i?3,^)  ^  ((i?i|||(a?x;7?2))  ||i?3,^) 

^  ((i?i|||(a?x;i?2))  II  (a!l;i?3),^) 

^  ((i?ip2)  ||i?3,^) 


This  computation  is  also  fair  modulo  {a!}. 

6.  As  an  immediate  consequence,  the  following  computation  of  ((i?i  IP2)  ||  ^3)\a  is 
strongly  fair: 

im  p2)  II  /;3)\a,s)  -4  (((«,  III  (a?x;S2))  ||  S3)\a,s) 

-4  (((S,|||(a?x;S2))||(a!l;/;3))\a,3) 

-4  (((S|p2)  |p3)\a,3) 


o 

The  following  example,  when  compared  with  the  previous  example,  illustrates  how  the  type 
of  communication  possible  between  two  components  placed  in  parallel  can  affect  the  fairness 
of  a  given  computation.  In  particular,  the  command  ((7?i  IP2)  ||^2)\a  has  fair  computations  in 
which  i?i  never  makes  a  transition,  but  the  command  ((7?i  ||7?2)  ||^2)\a  does  not. 

Example  7.2.3  Let  R\,  R2  and  i?3  be  defined  as  in  the  previous  example,  and  consider  the 
program  {{Ri  ||  R2)  ||  i?3)\a.  That  is,  let  Ri  and  R2  now  represent  processes  that  communicate 
with  one  another  by  message  passing  rather  than  by  changes  to  the  state. 

Let  P2  be  the  computation  of  R2  defined  previously,  and  let  Pj  =  (i?  1,5)  be  a  trivial  par¬ 
tial  computation  of  Ri  with  x  ^  donn(5).  The  following  computation  of  i?i||i?2  that  looks  al¬ 
most  identical  to  the  computation  p  of  |||i?2,  with  state -based  communication  replaced  by 
message-based  communication: 

{Ri\\R2,  |x  =  1])  ^  {Ri  II (a?x;i?2),  |x  =  1])  ^  (7?i ||7?2,  |x  =  1])  ^  . 

Unlike  p,  this  computation  is  not  fair  modulo  {a!}:  Ri  is  enabled  for  synchronization  with  R2 
on  channel  a  infinitely  often  and  yet  never  makes  progress.  o 
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7.3  Strongly  Fair,  Hybrid-Trace  Semantics 

As  hinted  previously,  we  can  define  hybrid  traces  that  combine  the  features  of  both  the  fair 
transition  traces  for  shared-variable  programs  and  the  strongly  fair  traces  for  communicating 
processes.  These  traces  provide  the  foundation  for  a  trace  semantics  for  the  language  of  hybrid 
communicating  processes  introduced  in  Section  7.1. 

The  development  of  the  hybrid  traces  and  the  hybrid-trace  semantics  is  very  similar  to  the 
development  of  the  strongly  fair  trace  semantics  in  Chapters  3  and  4.  However,  the  order 
of  presentation  differs,  in  part  because  the  previous  chapters  provide  a  useful  foundation  for 
concepts.  For  example,  we  can  introduce  the  necessary  closure  conditions  earlier,  because 
the  previous  chapters  make  their  purpose  clearer.  Additionally,  the  desire  to  retain  as  much 
structural  similarity  to  both  the  transition  traces  and  the  strongly  fair  traces  affects  certain 
semantic  decisions;  it  makes  sense  to  explain  these  choices  at  the  point  of  occurrence.  For 
example,  rather  than  constructing  a  semantics  and  then  introducing  a  notion  of  behavior  for 
which  it  can  be  made  fully  abstract,  we  begin  by  introducing  a  notion  of  behavior  for  which 
we  will  then  construct  a  fully  abstract  semantics. 

7.3.1  A  busy- waiting  behavior 

We  considered  several  different  notions  of  strongly  fair  program  behavior  in  Chapter  4.  In  this 
chapter,  we  consider  a  single  notion  of  program  behavior,  namely  the  following  busy-waiting 
behavior  W. 

Definition  7.3.1  The  busy-waiting  state  trace  behavior  ‘W  :  Com  ^  CP(5°°)  is  defined  by: 

I  (cAo)  ^  (ci,5i)  ^  ^  (c,tA/t)term} 

U  {sosi...Sk{sk)^  I  (co,5o)  ^  (ci,5i)  ^  ^  (cfc,5yt)dead} 

U  {50^1  {co,so)  ^  ^  {ck, Sk)^--  -  is  strongly  fair}. 


o 

The  choice  of  this  behavior  is  a  pragmatic  one:  W  corresponds  both  to  the  busy-waiting  be¬ 
havior  W  considered  in  Subsection  4.5.3  for  communicating  processes  and  to  the  behavior 
considered  in  [Bro96b]  for  shared- variable  programs.  As  a  result,  constructing  a  semantics  for 
reasoning  about  this  notion  of  behavior  should  require  minimal  changes  from  the  other  two 
semantics. 

As  before,  this  behavior  does  not  distinguish  between  deadlock  and  infinite  idle  chatter¬ 
ing.  Thus,  for  example,  ‘7F[[a!0\a]]  =  ‘7T’[[while  true  do  skip]]  =  {5“  |  s  G  S).  Of  course,  this 
identification  is  consistent  with  the  interpretation  of  deadlock  as  busy-waiting. 
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7.3.2  Hybrid  traces 

We  again  employ  the  set  of  steps 

Z  =  5  X  A  X  5, 

X 

with  the  intuition  that  the  step  {s,  X,  s')  G  Z  represents  a  transition  of  form  (c,  s)  =>  (c',  s').  We 
define  the  set  Z+  of  finite  traces  by 


=  {(^oAoAo)(^iAiAi)---(^fcAfc,4)  I  0&  V/<  k.{si,Xi,s'i)  e  Z}, 

so  that  state  changes  between  successive  steps  are  permitted.  Likewise,  we  define  the  set  Z“  of 
infinite  traces  by 

Z“  =  {ooOi  ...Ok...  I  Vi  >  0.  o,  e  Z}, 

and  we  let  Z°°  =  Z+  U  Z“  be  the  set  of  all  simple  traces.  These  traces  are  an  obvious  combi¬ 
nation  of  the  shared- variable  transition  traces  (which  allow  intermediate  state  changes)  and  the 
communicating-process  traces  (which  include  transition  labels).  Each  simple  trace  a  G  Z°°  now 
represents  a  quasi-computation,  which  allows  us  to  relax  the  composability  criteria  for  simple 
traces:  every  combination  of  traces  a  and  (3  is  composable,  as  is  every  infinite  collection  of 
simple  traces. 

Because  we  are  interested  in  a  behavior  that  models  blocking  by  busy-waiting,  we  need  only 
finite  and  infinite  traces,  with  the  latter  representing  both  partial  (i.e.,  blocking)  computations 
and  “true”  infinite  computations.  To  reason  about  strongly  fair  quasi-computations,  we  again 
need  to  augment  infinite  traces  with  fairness  sets  (representing  process  constraints)  and  sets 
of  infinitely  enabled  directions.  Similarly,  because  finite  quasi-computations  can  be  used  to 
generate  infinite  quasi-computations,  we  augment  finite  traces  with  sets  of  enabled  directions. 
Thus  we  again  make  use  of  the  set 

r  =  Tfin(A)  X  Tfin(A)  X  {f,i} 

to  provide  the  relevant  contextual  information  for  traces,  and  we  define  the  set  of  fair  hybrid 
traces  as 


=  Z“°x(Tfin(A)xTfi„(A)x{f,i}). 

The  finite  trace  {a,{F,E,f  ))  represents  a  (necessarily  fair  mod  F)  successfully  terminating 
quasi-computation  with  enabled  directions  E.  Likewise,  the  infinite  trace  (a,  {F,E,  i))  repre¬ 
sents  an  infinite  (or  blocked),  fair  mod  F  quasi-computation  with  infinitely  enabled  directions 
E. 
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7.3.3  Closure  conditions 

Because  the  behavior  W  relies  on  the  generalized  transitions  =>,  the  semantics  we  develop 
must  be  able  to  introduce  and  absorb  e-transitions;  that  is,  the  semantics  must  be  closed  under 
stuttering  and  mumbling.  However,  we  now  need  a  more  general  notion  of  stuttering  that 
permits  the  introduction  of  idle  steps  involving  arbitrary  states.  We  define  the  relation  stut  C 
X  as  follows: 

stut  =  {((al3,0),  (a(5,e,5)|3,0))  I  al3eE“°-Z°&5e5}. 

£ 

We  also  define  a  relation  mumb  C  d)  X  d>  that  reflects  the  “absorption”  of  transitions: 
mumb  =  {((a(5,8,/)(/,X,/^)|3,0),  (a(5,X,/^)(3,0))  |  e 

u  {((a(5,X,/)(5',8,/)(3,0),(a(5,X,/)(3,0))  |a(5,X,/)13eZ“°}. 

These  definitions  are  simplifications  of  the  stuttering  and  mumbling  relations  introduced  in 
Subsection  4.5.2. 

Again  letting  id  =  {(a,a)  |  a  e  be  the  identity  relation  on  simple  traces,  we  define 
stuf"  and  mumb°°  to  be  the  (respective)  greatest  fixed  points  of  the  functionals 

F{R)  =  stut  •  R  U  id,  G{R)  =  mumb  ■  R  U  id, 

so  that  stut"^  =  stut^  U  stuf  ■  id  and  mumb°°  =  mumb^  U  mumb*  ■  id.  Intuitively,  the  pair  (tp,  tp') 
is  in  stut°°  (respectively,  mumb’^)  if  tp'  can  be  obtained  by  inserting  an  idle  step  (respectively, 
eliding  an  8-step)  at  some  of  the  positions  along  tp’s  simple-trace  component.  Although  the 
stuttering  and  mumbling  steps  can  be  applied  at  potentially  infinitely  many  positions  along  a 
trace,  they  cannot  be  applied  infinitely  many  times  at  any  single  position  along  a  trace.  Once 
again,  this  point  is  essential  for  preventing  the  accidental  introduction  of  divergent  traces. 

To  achieve  full  abstraction,  we  will  also  need  the  closure  conditions  superset,  displacement, 
and  contention  as  introduced  in  Chapter  4.  Because  these  conditions  act  only  on  the  contextual 
components  of  traces  and  not  the  simple-trace  components,  they  translate  directly  to  hybrid 
trace  sets. 

Definition  7.3.2  For  a  set  T  of  hybrid  traces,  tI  is  the  smallest  set  containing  T  and  satisfying 
the  following  closure  conditions: 

•  Superset:  If  (a,  {F,E,R))  is  in  tI,  7?  e  {f ,  i},  F  C  F' ,  and  E  C  E' ,  then  (a,  {F' ,E' ,R)) 
is  in  t\. 

•  Displacement:  If  (a,  {F,E\JX,R))  is  in  tI,  G  {f,  i},  Anvis(a)  =  0,  and  A  C  vis(a), 
then  (a,  {F,E,R))  is  in  t\. 
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•  Contention:  If  (a,  {F\J{d}^E^  i))  and  (a,  (F,£’U{d},  i))  are  both  in  rl,  then  (a,  {F^E^  i)) 
is  also  in  rl. 

•  Stuttering:  If  tp  is  in  rl  and  (tp,  tp')  G  stut°°,  then  tp'  is  also  in  T I. 

•  Mumbling:  If  tp  is  in  rj  and  (tp,  tp')  G  mumb°°,  then  tp'  is  also  in  rj.  o 


7.3.4  Hybrid  trace  semantics 


We  characterize  a  closed  trace  semantics  %  :  Com  ^  CPl(d>)  as  follows,  building  closure  into 
the  semantics  from  the  beginning: 


=  ({(trace(p),  (F,en(p),f)) 
F  G  Tfin(A)  &  p  = 


1  k 


{Ci,Si)  (Q+1,5-) 


&  (c^+ 1,4) term  } 


J 


U  {(trace(p)a,  {F,E,  i))\F  =  \n\ts{ck,Sk)  &  E  &  -'(c/fc_|_i,4)term 

1  k 


P  = 


{a,  Si)  ^  {ci+hs'i) 


&  a  G  (4,8,5)  I  fv[[cfc+i]]  C  dom(5)}“  } 


U{(trace(p),  (F,en(p),i)) 


P  = 


{a, Si)  ^  {ci+i,s'i) 


is  strongly  fair  mod 


i^O 


The  denotational  characterization  of  this  semantic  function  proceeds  in  the  same  manner 
as  in  previous  chapters.  In  particular,  most  of  the  semantic  operators  can  be  defined  as  in  in 
Section  3.3  and  Subsection  4.5.3,  with  the  only  difference  being  the  more  liberal  interpretation 
of  the  predicate  composable  (and  the  subsequent  effects  on  traces). 

For  boolean  expressions  b,  we  define 

=  {(4,e,^),  (^,0,f))  I  4,tt)  G  ‘BM&Fe  yfin(A)}I, 

so  that  each  trace  in  %i\b^  represents  a  sequence  of  idle  steps,  at  least  one  of  which  occurs  in 
a  state  that  satisfies  b. 

The  infinite  quasi-computations  of  await  b  then  c  are  simply  infinite  sequences  of  idle 
transitions  from  states  that  fail  to  satisfy  the  boolean  expression  b.  Thus  the  closed  set  of  infinite 
traces  of  await  b  then  c  can  be  given  by  (‘2/,[[Z7]]“)I.  The  command’s  finite  quasi-computations 
reflect  the  intended  atomicity  of  the  command  c:  after  some  finite  sequence  of  idle  steps  in 
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which  b  is  not  satisfied,  the  command  c  is  executed  atomically  from  a  state  satisfying  b.  Thus 
the  command’s  closed  set  of  finite  traces  can  be  defined  by 

{%l-^bf\{{{s,z,s),  {F,E,f))  e  %lcl  I  (5,tt)  e 

which  (due  to  stuttering)  is  equivalent  simply  to 

e  %lc\[  I  (5,tt)  e  !S[I^]]}t 


It  follows  that 

^^[[await  then  c]]  =  {{{s,e,s'),  {F,E,f))  e  %lc]]  \  (5,tt)  e 

There  are  two  types  of  parallel  composition  for  the  hybrid  communicating  processes:  the 
state-based  composition  ci  |||  C2,  whereby  the  components  communicate  with  one  another  via 
shared  memory;  and  the  message-based  composition  ci  ||c2,  whereby  the  components  commu¬ 
nicate  with  one  another  via  synchronous  message  passing.  Both  types  of  fair  parallel  composi¬ 
tion  can  be  defined  on  traces  (and  trace  sets)  through  the  introduction  of  fair-merge  relations  on 
triples  of  traces.  We  have  already  seen  the  fairmerge  relation  for  the  message-based  communi¬ 
cation  in  Chapters  3  and  4,  which  we  again  use^  to  define  message-based  parallel  composition 
on  hybrid  trace  sets  Ti  and  T2: 

Ti\\T2  =  {cp  I  cpi  e  Ti  &  (P2  e  r2  &  mergeable{(pi,(^2)  &  (tpi,tp2,tp)  e  fairmerge}. 

We  can  likewise  define  a  relation  fairmergesv  C  x  x  whose  triples  represent  fair 
interleavings  of  steps  made  by  processes  that  share  a  common  state.  Because  each  process 
alters  the  shared  state,  these  triples  do  not  need  to  propagate  states  in  the  way  that  the  triples 
for  message-based /a/rmerge  do.  Instead,  we  can  define  these  triples  using  only  trace  concate¬ 
nation,  which  performs  the  necessary  bookkeeping  operations  on  the  contextual  components 
of  traces. 

The  set  bothsv  represents  the  interleavings  of  steps  that  occur  while  both  components  remain 
active.  Intuitively,  if  the  command  c\  can  perform  a  finite  transition  sequence  represented  by 
cpi  and  the  command  C2  can  perform  a  finite  transition  sequence  represented  by  92  >  then  the 

^To  be  precise,  we  need  to  extend  the  underlying  operations  aJJP  and  a||P  to  traces  with  intermediate  state 
changes.  However,  these  changes  are  straightforward;  for  example,  if  a  =  {so,'bo,SQ){si,Xi,s[) . . .  {sic,Xk,s'iJ  and 
the  state  s  is  disjoint  from  a,  then  we  define 

aJJCi  =  (so U s, A,o,so  Us, ki  j/j  U s) . . .  (s,(- U s, A,j,,s^ U s). 

Similarly,  we  define  OcjJP  =  (ajJer)(PjJej),  where  s  and  t  are  the  final  state  of  a  and  initial  state  of  P,  respectively. 
The  trace  a||P  again  represents  the  stepwise  synchronization  of  a  and  p. 
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parallel  command  ci  |||  C2  can  perform  the  corresponding  finite  transition  sequences  represented 
by  cpi(p2  and  (p2tpi-  We  therefore  define  the  set  bothsv  as  follows: 

bothsv  =  (tpb92,(p29l)  |9b92ed>fin}. 

Once  one  component  has  terminated  successfully,  the  remaining  component  may  proceed  un¬ 
interrupted.  Such  situations  are  captured  by  the  set  onesv,  whose  triples  correspond  to  the  steps 
taken  by  one  component  after  the  other  component  has  terminated.  Letting  8  represent  the  null 
trace,  we  define: 

onesv  =  {((pi, 8, (pi),  (8, (pi, (pi)  I  (pi  e  d>}. 

We  then  define,  fairmergesv  =  both%  U  both*^  •  onesv  The  triple  ((p,(p',vi/)  is  in  both%  if  and 
only  if  the  traces  (p,  (p',  and  \|/  can  be  written  as  infinite  concatenations  of  finite  nonempty  traces 

(p  =  (po  (pi  (p2  (p3  •  •  •  ,  (p'  =  (po  (p'l  (p2  (p3  •  •  •  ,  t]/  =  tl/o  t|/l  V|/2  tl/3  . . .  , 

such  that  each  \|/i  is  either  tp/tp'  or  (p)(pi.  Such  triples  represent  the  interleaving  of  two  infinite 
traces.  Likewise,  the  triple  (tp,  tp',  tp)  is  in  both*^  •  onesv  if  and  only  if  the  traces  (p,  tp',  and  t|/  can 
be  written  as  finite  concatenations 

(p  =  (p0(pi  (p2(p3  •••  (P«,  (p'  =  (po(p'i  (p2(p3  •••  (P^j,  Vl/  =  Vl/otl/l  ¥2¥3  •••  ¥«, 

such  that  each  tp,-,  (p(  and  t|/i  (for  i  <  n)  is  a  nonempty  finite  trace,  at  least  one  of  (p„  and  (p{  is 
the  null  trace,  and  each  \|/,  is  either  tp/tp'  or  (p((pi. 

Finally,  before  defining  state-based  parallel  composition  on  trace  sets,  we  introduce  a  bi¬ 
nary  predicate  interleavable{(pi,(p2)  that  indicates  when  the  traces  (pi  and  (p2  can  be  interleaved 
meaningfully  (i.e.,  when  they  respect  each  other’s  fairness  constraints).  Following  the  criteria 
specified  in  Definition  7.2.1,  we  define  the  predicate  interleavable{(pi,ip2)  for  hybrid  traces 
(pi  =  (a,  {Fi,Ei,Ri))  and  (p2  =  (P,  (F2,£'2,^2))  as  follows: 

interleavable{(^i,ip2)  (^i  =  f )  or  (i?2  =  f )  or  (Fi  fl vis(a2)  =  0  &  F2nvis(ai)  =0). 

A  finite  trace  can  always  be  interleaved  with  any  other  trace.  Moreover,  two  infinite  traces  (pi 
and  (p2  can  be  interleaved  as  long  as  neither  trace  uses  infinitely  often  a  direction  that  appears 
in  the  other’s  fairness  set.  We  then  define 

Ti  III  r2  =  {(p  I  (pi  e  Ti  &  (p2  e  r2  &  interleavable{ipi,i^2)  &  ((Pi,(P2,(p)  E  fairmergesv} , 
so  that  %lci  |||c2]]  =  {‘Th^cil  ||| 

In  summary,  we  present  the  following  complete  denotational  characterization  of  the  se¬ 
mantic  function  %.  Other  than  the  newly  introduced  clauses  for  the  shared-variable  constructs 
await  b  then  c  and  ci  |||  C2,  this  characterization  looks  identical  to  that  given  for  the  busy-waiting 
semantics  %b  in  Subsection  4.5.3.  Once  again,  the  true  differences  are  the  underlying  interpre¬ 
tations  of  the  semantic  operators:  in  particular,  the  semantic  operators  have  been  extended  to 
operate  on  sets  whose  traces  may  contain  intermediate  state  changes. 
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Definition  7.3.3  The  trace  semantic  function  %  :  Com  ^  is  defined  by: 

%lsk\p-^  =  {((5, 8, 5),  (F,0,f))  I  5  e  5  &  F  e  Tfin(A)}I 
%li:=e]\  =  {((5,8,[5|/  =  n]),(F,0,f))  | 

fv[[/:=e]]  C  dom(5)  &  F  e  Tfin(A)  &  {s,n)  e 

‘2;^[[if  Z^then  Cl  else  C2}  =  {%lbf,%lci}U‘Thl-^bf,‘ThlC2l)l 

'rjwhileZ.doc]]  =  ((T4Z7]];<r4[cJ)“U('r4[Z7j;'r4c]])*;<r4hZ7j)I 
T^^awaitZjthen  c]]  =  U  {((5,8,5'),  {F,E,f))  e  \  (5,tt)  e 

=  {{{s,hln,  [5|/  =  n]),  (F,  {/i?},f ))  |  i  G  dom(5)  &  n  G  Z  &  F  G  CPfin(A)} 
U  {(a,  {F,  {hi},  i))  I  a  G  {(5,8,5)“  I  i  G  donn(5)}“  &  F  ^  {^?}}I 
%lh\e}  =  {{{s,hln,s),{F,{hl},f))  \  {s,n)  G  “EH  &  F  e  Tfin(A)}I 

U  {(a,  (E,  {/?!},  i))  I  aG  {(5,8,5)“  |  fv^  ^  dom(5)}“&F  D  {hl}}l 

%]{gcingc2'{  =  {%lgci}\n%^gc2^)l 
%[[ci\\\c2'{  =  {%lciM%M)l 
'r,ici||c2l  =  ('r,icj||'r,[[c2]])I 
%lc\h-{  =  m4\h)l 


o 


7.4  Full  Abstraction  for  the  Behavior  W 


The  semantic  %  is  fully  abstract  with  respect  to  the  busy-waiting  trace  behavior  W  introduced 
in  Definition  7.3.1.  Indeed,  the  full  abstraction  proof  captures  the  flavor  of  the  full  abstraction 
proofs  of  both  the  transition  trace  semantics  for  shared- variable  programs  and  the  strongly  fair 
trace  semantics  for  communicating  processes. 

Proposition  7.4.1  The  closed  trace  semantics  T/,  is  inequationally  fully  abstract  with  respect 
to  Fd:  for  all  commands  c  and  c', 
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Proof:  The  forward  implication  follows  from  the  compositionality  of  *2^,  the  monotonicity  of 
operations  on  trace  sets,  and  the  fact  that,  when  ‘2^[[c]]  C  ‘2^[[c']], 


WlP[c]}  = 
u 
c 
u 


{states(a)  |  a  e  &  chans(a)  =  {e}} 

{states(a)  |  3(a,  i))  e  .  chans(a)  =  {e}  &  intfree(a)} 

{states(a)  |  a  e  ‘2a[[P[c']]]  &  chans(a)  =  {e}} 

{states(a)  |  3(a,  i))  e  ‘2a[[P[c']]]  .  chans(a)  =  {e}  &  intfree(a)} 

wmc']i 


For  the  reverse  implication,  consider  cp  =  (a,  {E,E,R))  in  %^c]\  —  “I/^dc']].  Because  the 
analysis  differs  only  slightly  depending  on  whether  cp  is  finite  or  infinite,  we  consider 
both  cases  together.  The  distinguishing  context  we  construct  combines  features  from  the 
full  abstraction  proofs  for  both  strongly  fair  communicating  processes  and  weakly  fair 
shared- variable  programs. 

Let  {a,{Ei,Ei,R)),... ,  (a,  {Em,Em,R))  be  the  (necessarily  finite  number  of)  minima!  a- 
traces  in  We  define  sets  X  and  Y  of  directions,  and  a  simple  context  Q[—],  as 

follows: 

•  If  =  f ,  then  we  can  assume  without  loss  of  generality  that  iy  =  0  for  each  i. 
Closure  under  superset  ensures  that  Et  ^  E  for  each  i  <  m;  thus  for  each  i  we  can 
choose  a  direction  di  G  Ei  —  E.  We  let  X  =  0  and  T  =  {d,  |  1  <  /  <  m},  and  we  let 
Q[—]  be  the  context  Q[—]  =  while  true  do  [— ]. 

•  If  =  i,  then  Lemma  4.4.5  ensures  a  conflict-free  resolution  of  for  cp.  We 
define 


X  =  {di\  \  <i  <m  Sl  lk((P;)  =  (d,,F)}, 

T  =  {d,-  I  1  <  /  <  m  &  lk((p,)  =  (d,,E)}. 

Because  IR  is  conflict-free,  it  follows  that  ^match(X,  T).  We  let  Q[—]  be  the  simple 
context  [— ]. 

Intuitively,  the  context  Q  is  the  minimal  context  necessary  for  generating  an  infinite  com¬ 
putation  from  the  trace  a.  Every  direction  in  X  represents  a  direction  that  is  enabled  by 
a  permanently  blocked  process  along  some  quasi-computation  of  Q[c'].  Every  direction 
in  y  is  a  direction  enabled  infinitely  along  some  quasi-computation  of  Q[c']  and  yet  en¬ 
abled  only  finitely  often  along  cp  (or  (p“,  if  a  is  finite).  Moreover,  every  computation  of 
Q[c']  with  the  simple  trace  a  (or  a“)  must  have  an  infinitely  enabled  direction  of  T  or  a 
blocked  process  with  an  enabled  direction  in  X. 
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Let  X  and  y  be  fresh  identifiers,  and  define  sets  of  “matching  guards”  for  X  and  Y  as 
follows: 

Gx  =  {fi!0  I  fi?  e  A}  U  {fi?x  I  h\  e  X},  Gy  =  {h\Q  |  fi?  e  7}  U  {fi?y  |  h\  e  Y}. 

In  the  full  abstraction  proofs  of  Chapter  4,  this  analysis  sufficed  for  constructing  the 
distinguishing  context:  we  placed  Q[—]  in  parallel  with  commands  Guess(//,  Gx,fl)  and 
'Lg£Gy  S  f2:=l,  and  only  Q[c]  could  perform  the  transitions  of  a  without  setting  either 
flag  fl  or  f2  to  1 .  However,  we  now  also  have  to  consider  the  the  possibility  that  a  may 
not  be  interference-free.  For  example,  if 

a  =  (50  Ao,  ^o)  1  Ai ,  ^  i )  •  •  •  Afc,  4)  > 

our  distinguishing  context  must  provide  a  way  to  “fill  in  the  gaps”  and  convert  each  state 
5'  int0  5,+i. 

Let  xi , . . .  be  the  free  identifiers  of  c  and  c',  and  let  fii , . . .  ,hk  be  the  channel  names 
appearing  in  c.  Without  loss  of  generality,  we  can  assume  that  each  state  appearing  along 
a  is  defined  on  precisely  the  identifiers  xi,X2,  ■  ■  ■  Let  fl,f2,ct,t,yi, . . .  ,yn,Zi,.  ■  ■  ,Zn 
be  fresh  identifiers. 

Let  x:=y  abbreviate  the  command  xi:=yi',X2:=y2\'  •  •  \^n-=ym  let  x:=b  abbreviate  the 
command  xi :=0;x2:=0;  •  •  •  ;x„:=0,  and  let  i  =  y  represent  the  boolean  expression 

{x\  =  yi)  &  (x2  =  y2)  &  •  •  •  &  (x„  =  y„). 

Let  Choose(y,  t)  be  the  following  command: 

y:=0;t:=0;(  t:=l 

III  while  t  =  0  do  yi:=yi -b  1 
III  while  t  =  0  do  y2:=yi -|-2 

III  while  t  =  0  do  y„:=y„  4-2 

) 

Intuitively,  the  command  Choose(y,t)  can  “guess”  states:  for  every  state  s  with  domain 
{xi, . . .  ,x„},  Choose(y,t)  has  a  successfully  terminating  computation  whose  final  state 
assigns  to  variable  y,  the  value  of  x,  in  state  5. 

Finally,  we  construct  the  following  command  CloseGap(x,y,z,t,ct),  which  provides  the 
mechanism  to  close  a’s  state  gaps: 

while  true  do 

(  Choose(y,t);Choose(z,t); 
ct:=ct-|-  1; 

await  (x  =  y)  then  x:=y 

) 
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Intuitively,  this  command  has  a  computation  that,  on  its  iteration  through  the  loop, 
guesses  the  values  of  {vi, . . .  ,v„}  in  state  s[  (storing  them  in  {yi, . . .  ^yn})  and  in  state 
j'i+i  (storing  them  in  {zi, . . .  ,Zm}),  waits  until  state  s\  is  reached,  and  then  changes  the 
state  from  5'  to  atomically.  The  identifier  ct  indicates  which  state  gap  is  being  closed: 
ct  changes  value  from  i  to  /  +  1  on  the  iteration  that  closes  the  gap  between  states  5'  and 
5/+1- 

We  can  now  define  the  distinguishing  context  P[— ]  as  follows: 

(2[— ]  III  CloseGap(i,y,z,t,ct))  ||  Guess(//,  Gx,fl)  ||  ^  g^f2:=l) 

g^Gy 

fAf[[P[c]]]  has  a  behavior  corresponding  to  a  in  which  neither  fl  nor  f2  is  ever  set  to  1.  In 
contrast,  every  behavior  of  fAf[[P[c']]]  corresponding  to  a  must  eventually  set  at  least  one 
of  the  flags  fl  and  f2  to  1 .  ■ 

This  full  abstraction  result  is  meaningful  not  only  for  what  it  says  about  the  utility  of  the 
semantics  %  but  also  for  what  it  says  about  the  robustness  and  applicability  of  the  general  trace 
framework.  By  combining  two  fully  abstract  semantics  for  different  languages  in  a  natural  way, 
we  construct  a  third  semantics  that  is  fully  abstract  for  a  hybrid  language  based  on  the  original 
two  languages.  Moreover,  the  full- abstraction  proof  for  the  hybrid  semantics  arises  as  a  natural 
combination  of  the  two  original  full-abstraction  proofs. 


\hi\---\hk. 


Chapter  8 
Conclusions 


In  this  dissertation,  I  have  described  a  general,  trace-based,  denotational  framework  for  mod¬ 
eling  fair  communicating  processes.  In  this  chapter,  I  discuss  some  connections  between  this 
framework  and  related  work,  as  well  as  some  directions  for  future  work.  I  conclude  with  a 
summary  of  the  contributions  of  this  thesis  and  some  final  thoughts. 


8.1  Related  Work 

The  framework  that  I  have  described  builds  on  a  long  history  of  trace  models  for  concurrency 
[Par79,  Bro96b,  HoaSl,  BHR84,  BR84,  Hen85,  Jon87,  Rus90,  Jos92,  JJH90].  In  fact,  my 
fair  trace  semantics  can  be  viewed  as  extensions  to  both  the  CSP  failures  model  and  the  CCS 
acceptance-tree  model  for  dealing  with  fair,  infinite  computations.  Of  course,  I  am  not  the  first 
to  provide  extensions  for  modeling  fairness. 

For  dataflow  and  asynchronous  networks,  Jonsson  provides  a  fully  abstract  trace  model 
that  incorporates  assumptions  of  weak  fairness  [Jon94].  By  modeling  channels  as  transition 
systems  with  their  own  fairness  constraints  and  limiting  use  of  each  channel,  he  ensures  that 
every  process  makes  progress  if  enabled  infinitely  often.  Essential  for  modeling  weak  fairness 
are  the  assumptions  that  each  channel  is  used  for  input  by  at  most  one  node,  that  each  channel 
is  used  for  output  by  at  most  one  node,  and  that  no  channel  is  used  for  both  input  and  output 
by  any  node. 

In  [Hen87],  Hennessy  extends  acceptance  trees  with  limit  points  that  indicated  which  in¬ 
finite  paths  were  fair.  The  notion  of  fairness  incorporated  into  this  semantics  is  a  form  of 
unconditional  fairness:  an  infinite  computation  is  considered  fair  if  every  process  makes  in¬ 
finitely  many  transitions  along  that  computation.  In  particular,  certain  commands — such  as 
(skip  II  while  true  do  skip) — do  not  have  any  fair  computations:  skip  cannot  make  infinitely 
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many  transitions  and  while  true  do  skip  can  never  terminate.  Brookes  adds  infinite  traces  to 
Hoare’s  trace  semantics  [HoaSl]  to  model  fair,  infinite  computations  [Bro94],  adapting  Park’s 
fairmerge  operator  [Par79]  to  handle  the  potential  of  synchronization  between  parallel  com¬ 
ponents.  The  result  of  these  modifications  is  a  semantics  suited  for  reasoning  about  a  slightly 
more  liberal  notion  of  fairness:  an  infinite  computation  is  considered  fair  if  every  process  either 
makes  infinitely  many  transitions  or  terminates  successfully. 

Neither  of  these  semantics  is  sufficient  for  reasoning  about  more  general  notions  of  fairness 
in  which  processes  may  become  blocked,  such  as  weak  or  strong  process  fairness.  The  problem 
is  that  synchronous  communication  requires  the  active  cooperation  and  participation  of  more 
than  one  process:  a  process’s  ability  to  make  progress  can  depend  on  the  processes  in  parallel 
with  it  and  their  willingness  to  synchronize.  As  a  result,  to  support  reasoning  about  these 
types  of  fairness,  it  is  essential  to  augment  traces  with  additional  information  about  the  types 
of  communications  possible  along  the  computation. 

This  observation,  which  underlies  my  framework,  also  provides  a  foundation  for  Daron- 
deau’s  fully  abstract,  strongly  fair  semantics  for  a  stateless,  CCS-like  language  [Dar85].  In  this 
semantics,  the  meaning  of  a  term  is  a  set  of  histories,  each  having  form  (5,  p ,  d) :  p  is  a  (finite  or 
infinite)  trace  of  a  program’s  interactions  with  its  environment,  5  is  a  set  containing  the  actions 
on  which  processes  are  blocked,  and  d  (which  is  disjoint  from  5)  is  a  set  containing  the  actions 
enabled  infinitely  often  (but  not  involved  in  blocking)  along  the  trace  p.  Generally  speaking, 
an  infinite  trace  (a,  {F,E,  i))  in  my  framework  corresponds  to  a  history  (F,  a,  {E  —  F)). 

I  discovered  Darondeau’s  work  late  in  the  process  of  writing  this  dissertation,  two  years 
after  first  developing  the  strongly  fair  semantics  of  Chapter  3.  Although  developed  indepen¬ 
dently,  my  framework  places  Darondeau’s  work  in  a  more  general  light.  In  addition  to  its 
statelessness,  the  language  he  considers  has  no  notion  of  sequential  composition  and  only  a 
very  limited  form  of  recursion  based  on  iteration:  the  iterative  constructs  generate  only  infinite 
computations,  and  no  other  language  constructs  can  appear  in  the  context  of  these  iterative 
constructs.  Moreover,  my  development  makes  explicit  the  underlying  concept  of  parameter¬ 
ized  strong  fairness,  which  can  be  used  either  to  aid  operational  reasoning  or  to  ease  the  task 
of  developing  semantics  for  other  notions  of  fairness.  In  contrast,  Darondeau  provides  hints  of 
the  source  of  the  fairness-related  sets  5  and  d,  but  he  never  presents  an  exact  explanation  of 
what  these  sets  represent.  As  a  result,  it  is  unclear  how  he  would  extend  his  approach  to  other 
notions  of  fairness. 


8.2  Directions  for  Future  Work 


Throughout  this  dissertation,  we  have  focused  on  a  simple  language  of  communicating  pro¬ 
cesses.  However,  we  have  omitted  several  common  language  features,  including  recursion  and 
more  general  message  types.  We  now  consider  these  features  briefly  in  turn. 
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To  give  semantics  to  loops,  we  introduced  finite  and  infinite  iteration  on  trace  sets.  Al¬ 
though  we  did  not  state  so  explicitly,  the  meaning  of  the  loop  (while  b  do  c)  could  be  formulated 
equivalently  as  the  greatest  fixed  point  of  the  functional 

F(A)  =  (M;Ic]]);XU 

as  in  [Bro96b].  Likewise,  for  general  recursive  constructs  such  as  rec  x.t,  we  should  again  be 
able  to  use  greatest  fixed  points,  using  functionals  of  the  general  form 

F'iX)  =  IlJ  f[X/x], 

where  p  is  a  fixed  environment  for  the  free  variables  of  t  other  than  the  recursion  variable  X. 
However,  this  type  of  characterization  not  only  requires  the  introduction  of  environments  (as  in 
“standard”  denotational  semantics)  but  also  obscures  the  understanding  of  the  role  of  fairness 
constraints.  For  example,  how  do  the  fair  computations  of  (rec  x.a.x)  ||  (rec  x.h.x)  compare  with 
the  fair  computations  of  rec  x.(a.x||b.x)?  They  share  the  same  finite  prefixes,  and  yet  the  latter 
generates  significantly  more  processes  dynamically  (each  with  its  own  fairness  constraints). 

The  only  types  of  messages  allowed  in  the  simple  language  we  have  considered  are  integer 
values,  but  it  is  easy  to  imagine  more  general  message  types.  For  example,  the  7c-calculus 
[MPW92]  allows  the  transmission  of  names,  which  may  refer  to  links  (i.e.,  channels)  between 
processes;  similarly,  there  are  higher-order  calculi  that  allow  processes  themselves  to  be  sent 
as  messages  [Tho89].  In  these  situations,  messages  can  alter  the  communication  topology 
dynamically.  Related  to  this  situation  is  the  potential  of  procedures  that  accept  channel  names 
or  processes  as  parameters.  In  both  cases,  an  accurate  semantics  must  account  for  the  dual 
role  of  channel  names:  they  not  only  refer  to  the  communication  links  between  processes,  they 
also  provide  necessary  information  about  fairness  constraints.  I  expect  that  environments  that 
reflect  this  dual  role  of  channels  can  be  introduced  in  a  straightforward  way. 

There  are  several  results  that  classify  the  relative  expressive  power  of  various  fair-merge 
[PS 8 8b,  PS 8 8 a]  and  fair-choice  [MPS88]  operators  for  dataflow  networks,  as  well  as  the  power 
of  different  delay  operators  for  SCCS  [CP91].  A  similar  question  arises  in  the  setting  of  com¬ 
municating  processes.  As  mentioned  in  Chapter  2,  there  are  programs  that  terminate  under  one 
notion  of  fairness  that  do  not  necessarily  terminate  under  other  notions  of  fairness.  However, 
is  the  hierarchy  also  one  of  implementability?  For  example,  can  a  weakly  fair  scheduler  be 
used  to  implement  a  strongly  fair  scheduler,  and  (if  so)  what  type  of  language  features  are 
necessary? 

Throughout  this  dissertation,  I  have  hinted  how  the  trace  framework  might  support  rea¬ 
soning  about  fair  behavior,  but  the  question  remains:  how  does  this  framework  help  the  prac¬ 
titioner?  Fairness  is  an  abstraction  introduced  to  support  reasoning  about  program  behavior. 
While  the  framework  provides  a  way  to  model  fairness  compositionally,  the  model  is  useful 
only  if  it  helps  the  task  of  reasoning  about  programs.  An  important  open  question  is:  what 
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type  of  insight  does  this  framework  provide  the  programmer,  either  directly  or  indirectly?  Are 
there  particular  structuring  techniques  that  facilitate  reasoning  about  programs  under  fairness 
assumptions?  For  example,  we  saw  that  modeling  weak  fairness  required  a  significant  amount 
of  program  semantic  structure:  are  there  certain  classes  of  programs  for  which  modeling  weak 
fairness  become  simpler? 


8.3  Thesis  Contributions 

In  this  dissertation,  I  have  presented  a  general  framework  for  constructing  denotational  seman¬ 
tics  that  incorporate  fairness  assumptions  for  communicating  processes.  The  primary  units  of 
this  framework  ase  fair  traces,  which  are  abstract  representations  of  program  computations. 
The  meaning  of  a  program  is  the  set  of  fair  traces  that  correspond  to  its  fair  computations; 
the  semantic  operators  on  trace  sets  correspond  intuitively  to  the  operational  behavior  of  the 
program  constructs.  The  use  of  traces  provides  an  intuitive  connection  between  a  program’s 
operational  behavior  and  its  semantic  meaning. 

This  framework  is  the  primary  contribution  of  this  thesis:  it  provides  a  general,  extendible, 
modular  approach  for  constructing  semantics  that  support  reasoning  about  fair  program  behav¬ 
ior.  To  demonstrate  the  robustness  of  the  framework,  I  have  focused  on  a  single  language  and 
constructed  for  it  several  semantics  that  incorporate  different  types  of  fairness  assumptions.  In 
the  process,  I  developed: 

•  Several  fully  abstract,  strongly  fair  denotational  semantics  for  state-based  communicat¬ 
ing  processes. 

•  A  sound  channel-fair  denotational  semantics  for  communicating  processes. 

•  A  sound  weakly  fair  denotational  semantics  for  communicating  processes. 

I  also  constructed  a  fully  abstract,  strongly  fair  semantics  for  a  language  that  combines  both 
synchronous  message  passing  and  shared- variable  parallelism.  Figure  8.1  summarizes  these 
semantics,  highlighting  the  structure  of  the  fair  traces  for  each  semantics. 

Through  these  semantics,  the  framework  also  provides  the  following  secondary  contribu¬ 
tions: 


•  The  introduction  and  formalization  of  parameterized  fairness,  which  provides  a  compo¬ 
sitional  characterization  of  fairness. 

The  definition  of  parameterized  strong  process  fairness,  and  the  related  parameterized 
definitions  for  channel  fairness  and  weak  process  fairness,  were  introduced  to  permit 
a  denotational  characterization  of  fairness.  However,  they  are  also  suitable  for  purely 
operational  reasoning,  allowing  syntax-directed  reasoning  about  program  behavior. 
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Figure  8.1:  Summary  of  semantics  in  the  fair-trace  framework. 


•  Implicit  comparison  of  several  different  fairness  assumptions. 

When  taken  together,  the  strongly  process-fair  semantics,  the  strongly  channel-fair  se¬ 
mantics,  and  the  weakly  process-fair  semantics  provide  an  interesting  side-by-side  com¬ 
parison  of  some  of  the  notions  of  fairness  commonly  considered  for  communicating 
processes.  Because  these  semantics  have  all  been  constructed  for  the  same  language, 
they  highlight  both  the  differences  in  semantic  structure  that  these  various  assumptions 
require  and  the  effects  that  these  fairness  assumptions  have  on  program  behavior. 

In  particular,  the  channel-fair  and  weakly  fair  semantics  require  significantly  more  struc¬ 
ture  than  the  strongly  fair  semantics  does,  reflecting  their  lack  of  equivalence  robustness 
[AFK88].  The  need  to  keep  track  of  the  communications  enabled  at  each  step  not  only 
complicates  the  semantic  models  but  also  suggests  that  perhaps  these  notions  fairness  do 
not  provide  useful  and  practical  abstractions  to  the  programmer. 

•  Fully  abstract  semantics  for  strong  process  fairness. 

The  full- abstraction  results  validate  the  suitability  of  the  strongly  fair  traces  for  reasoning 
about  strongly  fair  behavior.  In  particular,  they  indicate  that  the  strongly  fair  traces 
provide  precisely  the  necessary  information  for  reasoning  about  strongly  fair  program 
behavior  in  a  compositional,  syntax-directed  way. 

The  fully  abstract  semantics  also  provide  interesting  technical  results,  indicating  that 
fairness  can  be  modeled  accurately  in  spite  of  the  expected  difficulties. 
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8.4  Final  Comments 

Fairness  provides  an  important  abstraction  to  the  programmer,  but  the  problems  inherent  in 
modeling  fairness  have  prevented  its  widespread  use  in  reasoning  formally  about  program  be¬ 
havior.  The  introduction  of  fair  traces  helps  bridge  this  gap:  they  permit  operational  intuition  to 
guide  formal  reasoning.  Moreover,  the  notion  of  parameterized  fairness  provides  an  accessible 
way  to  reason  about  fair  behavior  in  a  systematic,  syntax-directed  way. 
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